New ransomware distributes using Windows help files

Romanian antivirus company BitDefender warns for cybercriminals sending out emails with malicious help-files containing the Crypto Wall ransomware. The emails contain a .CHM file (Microsoft Compressed HTML Help) as attachment. CHM  the successor of the famous .HLP help files in Windows.


CHM file can contain interactive elements and can be build using several different technologies, like Javascript. This makes it possible to automatically download files as soon as the CHM file is opened. According to analyst Catalin Cosoi using CHM files to distribute malware makes perfect sense, “the less user interaction, the greater the chances of infection”. In addition, users might not regard these files as suspicious.

The concerned emails occur as email messages from a fax machine. Once the ransomware becomes active it starts to encrypt files on the computer rendering them useless. In order to decrypt the files, the victim has to pay a ransom. According to Bitdefender the cybercriminals distributing the ransomware are currently mainly targeting businesses. The last couple of months several companies have reported to have become a victim of the malware.