After a two-month drop in volume of incidents, the Sigma ransomware is spreading again with an email campaign purportedly from someone looking for a job pushing an infected Microsoft Word resume.
That’s the conclusion of security researcher Brad Duncan, who writes regularly on the SANS Institute’s Infosec Handler’s Diary Blog. The sending addresses, subject lines, email headers and message text are varied but the Word document attachment is named ” resume.doc”(in some cases with a capital R) with a space before the first letter. It’s part of a campaign with the same method that is also spreading the GlobeImposter and GandCrab ransomware.
( This article related or same of the post of Canadian Tech blog www.itworldcanada.com )
We are very thankful to Howard solomon who share this article for us.
As early as Friday of last week, Duncan reports, this campaign started using password-protected Word documents. The email message to the recipient says something like the attached file is password protected to protect against identity theft, with the password “resume.” Opening the document prompts the user to enter the password, and then a request to enable macros. Those macros that will cause the computer to retrieve a malware binary over HTTP using TCP port 80.
( Canadian Top Tech Blogs and websites )
|Image Credit Goes To www.itworldcanada.com|
The malware then encrypts the victim’s hard drive.
In the case of Sigma ransomware Duncan found, the ransom demanded for a decryption key is $400 in bitcoin. The price one researcher found in November was $1,000.