New PowerShell ransomware pretending to be email bounce

  • 0 Replies

Offline Bugbatter

  • Microsoft® MVP
  • Administrator
  • Diamond Member
  • 10671
New PowerShell ransomware pretending to be email bounce
« on: July 10, 2017, 06:08:09 AM »
New PowerShell ransomware coming in malspam emails pretending to be email bounce messages

We were notified of a new ransomware version last night. This new  version comes as an email attachment which is a zip inside a zip before extracting to a .js file  in a fake Delivery Status Notification,  failed to deliver email bounce message. The .js file in the email attachment is a  PowerShell script  and there are no other files involved. Nothing new is downloaded. When the files are encrypted they DO NOT change file name or extensions and appear “normal” to the victim until you try to open them. This is the same behaviour we have been seeing with the recent UPS failed to deliver nemucod ransomware versions

The email looks like:

From: Mail Delivery Subsystem <>

Date: Sun 09/07/2017 09:25

Subject: Delivery Status Notification <[redacted] >


Microsoft MVP Consumer Security 2006-2016
Microsoft Windows Insider MVP 2016-