January 12, 2017

It's the most wonderful time of the year! Yes, Christmas season is here and everyone has the jolly spirit.

Wait, Christmas was more than two weeks ago. So why is there Christmas themed ransomware going around right now?

That's right, scammers are sending malicious emails that will infect your gadget with the Merry Christmas ransomware. It's possible that this scam is coming from Russian or Eastern European actors since Orthodox Christians don't celebrate Christmas until January 7. This means this would be a reasonable time-frame.

How Merry Christmas ransomware attack works

Cybercriminals are sending malicious spam emails to unsuspecting victims. There are two different versions of the emails and they both claim to be from official sources.

One email claims to be a notice from the court. It says that the email's recipient has been using illegal software and they must attend a hearing in the court of their city. Here is an example email:


source: SANS Internet Storm Center

For more information on the case, a link is provided. Once you click on the link, an executable zip file that looks like a PDF document is downloaded.

It's not really a PDF, there is a Word document hidden in the zip file that will run Macros and install the ransomware. If you don't have Macros enabled on Word, the ransomware can't run.

If Macros are enabled, the ransomware will be executed and your files will be encrypted. Here's an example of the ransom note:

source: SANS Internet Storm Center

The second malicious email works exactly the same as the one claiming to be from court. The difference is, this one claims to be from the Federal Trade Commission.

The email says the recipient's company is being investigated for violating the Consumer Credit Protection Act. There is also a malicious link disguised as a PDF document. Clicking on it results in the same ransomware attack as described above.

The Merry Christmas ransomware attack has been evolving since its discovery. The MalwareHunterTeam recently found a version of this ransomware attack that also deploys DiamondFox malware.

News Courtesy :