Tired of SPAM? We can help you stop it.
We can set up a filter for your business e-mail domain to stop garbage like this from ever reaching your inbox.

Friday, November 28, 2014

INTERNAL FAX - CryptoWall 2.0 E-mail Example

I finally tracked down an example of one of the many variants of the CryptoWall 2.0 RansomWare / MalWare / Virus e-mails. This is not the only version out there so be aware!

As a general rule of thumb, never open a zip file attachment from someone you don't know. Even then scan it for viruses before opening it.

Here's what to look out for;

The e-mail subject was INTERNAL FAX

The attachment name I received was FAX827-482-9123.zip . The infectious software is contained inside the zip file. It also contained an attachment named ATT00001.txt (which is not a virus).

RansomWare message body text;

You have received fax from EPSON09964727 at sidsolve.com

Scan date: Wed, 26 Nov 2014 10:18:44 -0500

Number of page(s): 61

Resolution: 400x400 DPI

Name: FAX827-482-9123.pdf

Attached file is scanned image in PDF format.

The message came from XTLAMJHEK ( around the Orlando, Florida area. The sender's address was 8GEGBYXZ.4384595@bleuit.com . The return path is cidejilk@bleuit.com . The sender spoofed a fake address named fax@sidsolve.com. This would likely be customized to the victim's domain. The company that owns the domain is based on Guernsey in the Channel Islands.