Microsoft warns internet users for a new method of cybercriminals that try to spread ransomware through email attachments. The attachment is a .RAR file pretending to be a fax message that claims there is a criminal case against you.
By using this subject the cybercriminals hope you panic and open the attached file immediately with the password provide in the email. The file is password protected for a reason, this way the cybercriminals hope to bypass antivirus scanners.
When the .RAR file is opened it users are left with a .WSF file. This is a malcious obfuscated Windows Script File (WSF) known as Crimace. When the file is opened it shows an error message stating the fax can't be displayed. In reality the Crimace script installs the WinPlock ransomware in the background. WinPlock is able to encrypt 2620 different kinds of file types. To decrypt files it demands a ransom of 0.55 Bitcoin (about $400).
"WinPlock is a family of ransomware that has been around since September 2015 but did not have significant activity until recently. The discovery of this new variant signals that it’s back to wreak havoc," Microsoft writes on its blog.
