Federal Tax Email Leads To Ransomware

 Analysis by: Lala Manly

We observed a spike in Federal tax emails spreading in the wild. The said spammed message purports to come from IRS.gov and bears the subject, “Your Fed Tax Payment {ID} Was Rejected.” It has a .ZIP file attachment supposedly containing the Federal tax notification but in actual it is a ransomware variant. Trend Micro detects this as TROJ_CRYPWALL.H.

When executed, TROJ_CRYPWALL.H drops files which include DECRYPT_INSTRUCTION.TXT, DECRYPT_INSTRUCTION.HTML, and DECRYPT_INSTRUCTION.URL. Similar to other ransomware variants, this Cryptowall displays a page containing details on how users can decrypt their files by paying a sum of money. It also gathers system information and connects to malicious websites to send and receive information thus compromising the security of the infected system.

Figure 1. Screenshot of the ransom note

Users are advised to be cautious in opening email messages which seemingly come from a legitimate source. Note that official IRS emails will not users to click on any links more so to download any email attachment.

  • ENGINE:7.5
  • PATTERN:0774