A fresh wave of infected emails is swirling around the globe, carrying a nasty ransomware payload.
ESET is warning of an increased number of infected emails containing a malicious attachment, which downloads and installs ransomware onto an infected device. ESET telemetry detects this malicious downloader as JS/TrojanDownloader.Nemucod and records its unusually high incidence in Europe, North America (especially Canada), Australia and Japan.
Japan is the hardest hit with a 75% prevalence level.
The wide-spread infected emails contain attached zipped files that contain a JavaScript file that, when opened, downloads and installs Nemucod to the victim PC.
“Emails are written in a very trustworthy way, claiming to be invoices, notices of appearance in court or other official documents,” researchers noted in a blog. “Attackers are just trying to get users to open the malicious attachment.”
The end payload in this case is a crypto-bug, such as TeslaCrypt and Locky: When opened, it encrypts victims‘ files on their PCs and requires a ransom for decryption. Both TeslaCrypt and Locky use encryption standards similar to those used by financial institutions when securing online payments.
"Ransomware is one of the most active trends in cyber-criminal world, as it has a direct and profitable commercialization model—in some cases, without any significant costs, as most victims have a pretty insecure IT environment," InfoArmor chief intelligence officer Andrew Komarov told Infosecurity.
He added that there are some new movements in the ransomware area identified at the beginning of 2016. For example, the bad actors started to use ransomware-as-a-service (RaaS) approach, working with each other, like with affiliates, distributing malware, and receiving 50% of ransom payments.
"Such approach may restructure the current ransomware market and create a large, new number of underground affiliate programs, increasing the number of new infections," he said.
It should be noted that the downloader is also known for downloading a diversity of other malware available in-the-wild too.
Users can protect themselves from the threat by simply not opening attachments sent in emails from unknown senders. People reading this should also warn colleagues who most frequently receive emails from external sources—for instance financial departments or human resources.
Users can also regularly backup their data, so, in case of infection, this will help recover all data without paying the ransom. But, an external disc or other storage should not remain connected to a computer in order to avoid infection by filecoder. And of course, they should regularly install updates of the OS and other software.
Photo © Nicescene