SpywareHammer.com

SpywareHammer General Issues Forums => Current News => Topic started by: Bugbatter on July 10, 2017, 06:08:09 AM

Title: New PowerShell ransomware pretending to be email bounce
Post by: Bugbatter on July 10, 2017, 06:08:09 AM
New PowerShell ransomware coming in malspam emails pretending to be email bounce messages

We were notified of a new ransomware version last night. This new  version comes as an email attachment which is a zip inside a zip before extracting to a .js file  in a fake Delivery Status Notification,  failed to deliver email bounce message. The .js file in the email attachment is a  PowerShell script  and there are no other files involved. Nothing new is downloaded. When the files are encrypted they DO NOT change file name or extensions and appear “normal” to the victim until you try to open them. This is the same behaviour we have been seeing with the recent UPS failed to deliver nemucod ransomware versions


The email looks like:

From: Mail Delivery Subsystem <mailer-daemon@joelosteel.gdn>

Date: Sun 09/07/2017 09:25

Subject: Delivery Status Notification <[redacted] >

More:
https://myonlinesecurity.co.uk/new-powershell-ransomware-coming-in-malspam-emails-pretending-to-be-email-bounce-messages/