'Resume' Spam Used to Spread CryptoWall 3.0 Ransomware

Hello, my name is XXXXX. Resume attached. I look forward to seeing you. Sincerely yours, XXXXX

With a short, simple message sent via email, a curious recipient could be lured to look into and access an attachment that was designed to look like a resume. And with one click of a download button, the recipient's system can be infected with ransomware. The method used may be simple, but the effect could be crippling.

A new spam run was recently spotted involving a ransomware-carrying attachment. The scheme invites the recipient to download and view the sender’s resume (my_resume_pdf_id_1422-7311.scr), which leads to the execution of a malicious file. Once downloaded and executed, the affected system is locked down and displays a message that notifies the victim that the files are encrypted with RSA-2048 using CryptoWall 3.0. Ultimately, this means that the documents and data stored in the system can no longer be accessed unless the victim pays the cybercriminal.

CryptoWall 3.0

Crypto-ransomware, widely-publicized as the more lethal descendant of ransomware, possesses advanced encrypting capabilities that make files unusable unless a ransom is paid. Last year, a crypto-ransomware variant, CryptoWall, made noise as the final payload of spammed messages that directly opens a Tor website used to extort money from its victim.

CryptoWall 3.0 is another evolved variant that uses hardcoded URLs that are heavily obfuscated to evade detection. This buys the malware more time to communicate to a C&C server and acquire the RSA public key needed to carry out its file encryption tactics. The C&C server is different from its payment page, which still uses Tor, to ensure that such transactions will continue running without interference from the authorities. CryptoWall 3.0 also employs “smarter” measures of deleting the target system’s shadow copies to prevent attempts of restoring files to its previous state—leaving a victim without any other option but to pay up.1

Old Tricks, New Victims

The region of Australia/ New Zealand is the most affected by this ransomware variant, with over 50% of the detected CryptoWall 3.0 infections.

Fear is a powerful thing. In today’s world, one’s digital assets are as important as his actual belongings. Is there a more convenient way to squeeze money from unsuspecting online users than monetizing their fear of losing the data and files they hold dear? Ransomware, with its growing number of variants and evolving techniques, has had its fair share of cyber-bullying and fear-mongering schemes to do this. Almost over a decade after it first surfaced, ransomware attacks have continued to make a killing among online users with its improved ways.

The newest incidents involving CryptoWall 3.0 managed to infiltrate user systems through poisoned spam messages. According to the data from Trend Micro Smart Protection through March of 2015, the region of Australia/ New Zealand is the most affected by this ransomware variant, with over 50% of the detected CryptoWall 3.0 infections. This is followed by North America at 24.18% and Europe with 14.27%.

What you can do

The use and timing of resumes as a lure could mean that online attackers have been leveraging the graduation season to spread Cryptowall 3.0, likely aiming for companies looking for candidates for employment. But this does not preclude the idea of private individuals falling victim into this cybercriminal trick. Social-engineering is a common method used to lure users into downloading and executing a malicious file into his system.

Ultimately, user awareness is still the best defense against ransomware. Avoiding malicious files and links2 can greatly reduce the risk of infection, and regularly backing up files remains an effective way to prevent total disaster when infected. Investing in a reliable security solution is also a plus. Trend Micro Smart Protection Network blocks malicious URLs involved in this recent ransomware report. Trend Micro also offers a free Ransomware removal tool that can be used to resolve an infection.

Visit the Ransomware library for more news and information on this type of threat. 


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.