Malspam campaign spreading three varieties of ransomware

After a two-month drop in volume of incidents, the Sigma ransomware is spreading again with an email campaign purportedly from someone looking for a job pushing an infected Microsoft Word resume.

That’s the conclusion of security researcher Brad Duncan, who writes regularly on the SANS Institute’s Infosec Handler’s Diary Blog. The sending addresses, subject lines, email headers and message text are varied but the Word document attachment is named ” resume.doc”(in some cases with a capital R) with a space before the first letter. It’s part of a campaign with the same method that is also spreading the GlobeImposter and GandCrab ransomware.

As early as Friday of last week, Duncan reports, this campaign started using password-protected Word documents. The email message to the recipient says something like the attached file is password protected to protect against identity theft, with the password “resume.” Opening the document prompts the user to enter the password, and then a request to enable macros. Those macros that will cause the computer to retrieve a malware binary over HTTP using TCP port 80.

The malware then encrypts the victim’s hard drive.

In the case of Sigma ransomware Duncan found, the ransom demanded for a decryption key is $400 in bitcoin. The price one researcher found in November was $1,000.

The resume campaign Duncan found differs from the Sigma campaign discovered last November by other researchers. The email message in that effort was a threat that the recipient was about to be charged a certain amount of money on their Mastercard or Visa if they didn’t open the attached — and password-protected — file.

“As always, properly-administered Windows hosts are not likely to get infected,” writes Duncan.  To infect their computers, users would have to bypass Protected View and ignore security warnings about activating macros on a Word document.  System administrators and the technically inclined can also implement best practices like Microsoft’s Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now