Infamous ransomware Cryptowall has made a comeback, according to a recent Bitdefender discovery. This time, the ransomware spreads through mass spam emails that contain malicious .chm attachments that execute malware upon opening.
Another advanced Cryptolocker variant
Cryptowall is another variant of Cryptolocker, a widespread ransomware that is known for disguising malware in non-threatening applications or files. Cryptolocker claimed many victims and several copycats and variants have been discovered since its discovery in late 2013, including this one. Like all file encrypting ransomware (also known as crypto malware) the goal of the attacker is to encrypt important files on the victim’s system in order to compel them to pay a ransom in return for their files.
In the case of Cryptowall, users received spam emails titled as “Incoming Fax Report” containing a .chm file attachment. Upon opening the .chm file, users were greeted with this notice. Harmless as this help file looks, it is anything but. While the user is staring at the innocent looking help file, a malicious code downloads Cryptowall in the background from a remote server. Once executed, the ransomware takes over and encrypts the files of the user before demanding a ransom. Because several email clients detect and block executable malware, and users are more aware of what to look out for, cyber criminals are looking at new extensions to spread their malware through email.
Less fashionable, yet highly effective trick
Emsisoft detects the threat as Trojan.GenericKD.217093. According to our partner Bitdefender:
Due to the nature of the fake emails, it is expected that the attackers were targeting corporate users. The emails were sent to mailboxes in Europe, Australia and the U.S. Although the scale of this attack is not that massive, it is very revealing as to how malware is evolving to evade security.
Have a nice (ransomware-free) day!