Ransomware Strikes Scandinavians again and this time it is Undetectable
A new ransomware campaign targeting Scandinavians has emerged, barely a week after the previous campaign that spoofed an official email correspondence from the local post office to deliver malware to unsuspecting PC users, reports Heimdal Security.
The complete detail of the discovery of the ransomware can be found here.
The newly discovered ransomware is sent out to users in a spam email that contains a Word document as an attachment. Researchers at Heimdal Security found that the Word document contains ‘macros,’ which, if activated when an oblivious user opens the Word file, will immediately download and initiate the ransomware.
At the time of reporting this, the new ransomware campaign has completely avoided detection by multiple anti-malware vendors on VirusTotal.
The spam email containing the ransomware will have the attached word document showing as Scet_9462201788.docx
The ransomware also sets itself to run after rebooting the computer, through a “run as” value set up in the PC’s registry.
The entire structure of the value is:
HKCU \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \ “Client Server Runtime Subsystem” = “C: \ Documents and Settings \ [% All Users%] \ Application Data \ Windows \ csrss.exe
In order to encrypt every data file on the targeted PC’s hard disk and those stored on the network drive, the infection adds the extension “.breaking_bad” (a possible reference to the popular TV show), before springing the ransomware to the victim.
Victims will have to communicate with two different Gmail accounts and pay the ransom before regaining access to their data by decrypting the files.
Heimdal Security recommends users to update their browsers to the currently available versions and run Windows updates regularly as general practices to avoid falling into traps set by spam campaigns.
Image from Shutterstock and Heimdal Security.