Home » Big Idea Tech Blog » Blog » SECURITY ALERT: New CryptoWall Scam uses Zipped Resume and Compromised Websites

SECURITY ALERT: New CryptoWall Scam uses Zipped Resume and Compromised Websites

Example of malicious spam from InfoSec Community Forum on isc.sans.edu
Example of malicious spam from InfoSec Community Forum on isc.sans.edu

Hiring?  If you’re looking at resumes, beware of this newest CyrptoWall scam!  The attacker sends a zip file “resume” attachment which infects your computer with malware that encrypts your files.  There has been an increase in this type of malicious spam since the end of May.

What is CryptoWall 3.0?

CryptoWall is one of several ransomware malware variants which encrypts your computer files.  Ransomware restricts access to the computer system – in this case by encrypting it – and demands that a ransom be paid to the attacker to regain access – in this case by providing the decryption keys.  This is the third version of CryptoWall, thus dubbed CryptoWall 3.0.  Ransomware evolves, with each variant incorporating different functionality to try to complete its attack.  CryptoWall 2.0 was able to switch between 32 and 64 bit operation, employed multiple exploits, and had code to prevent it from running in a virtual environment.  CryptoWall 3.0 does not contain any exploits, and instead focuses on using exploit kits as an attack vector to gain privilege escalation on the system.

How do you get infected?

The user receives an email from a Yahoo email address with an attachment titled “my_resume.zip.”  To open the “resume,” the user downloads the zip file, and double-clicks on the extracted file.  In the first week of this campaign, the extracted materials were HTML files named “my_resume.svg.”  In the second week of this campaign, the extracted materials used random numbers in the name of the HTML files, with names like “resume4210.html” and “resume9647.html.”  The CryptoWall malware is hosted on various docs.google.com URLs.  When the user double clicks the extracted file to open it, that action actually executes the malware, causing the user’s browser to generate traffic to a compromised server.  The compromised web pages have malicious code injected on the site.

There is a second way in which to be infected with this malware which does not involve user action.  However, if your computer is in a well-run enterprise environment and your system is updated with the most recent security patches, the exploit will fail and your computer won’t be infected.

What happens if you are infected with CryptoWall?

If your computer is infected, you’ll see a warning that your files are encrypted along with instructions to buy CryptoWall decrypter with bitcoins.  (If your computer is on a network, the whole network can be encrypted.)  The instructions say that if payment of $700 is not made before a specific date and time, the cost of decrypting the files will increase 2 times.  Payment must be made with bitcoins, and instructions are provided for registering a Bitcoin wallet, purchasing Bitcoins, and sending the Bitcoin payment.

How do you protect your computer from CryptoWall 3.0?

Blocking any link in the chain of attack will prevent your computer system from being infected with malware.  Knowing how to recognize a Phishing scam and not falling for the initial Phishing email is the best way to prevent your system from being compromised by CrypoWall 3.0.  Many forms of malware infect your systems through User Error.  CryptoWall 3.0 is delivered via email when the user downloads the attached file with a .zip extension and clicks to open the file – a big error!  Never open a .zip file from an unknown sender.  Opening a file with a .zip or .exe extension can cause changes to your computer.  Firewalls as well as spam and virus filtering solutions are also important.  Blocking network connections to known malicious content and stopping malicious process activity are other ways to break the chain.

If, however, your computer is infected, you can avoid paying the ransom if you have a solid backup and restore procedure so that your files can be restored from the backup.  Of course, your backup plan must follow industry best practices to prevent the backup from also being encrypted.  Big Idea Technology can guide your business in putting these protections in place.