12-24-2018 , 12:23 PM
Quote:"It looks like we have a new Ransomware spreading as a nice Christmas Present. This is being identified as Criakl by Anyrun , but if it is criakl, then it is a new version . Criakl was around in 2014 and has been seen sporadically since then, but hasn’t been an extremely active or well spread ransomware previously, particularly in the UK.
I received 2 different emails overnight containing this ransomware both very similar and written in bad English or machine translated from a foreign language. These emails all come from admin[at]floraman.ru and pass all authentication checks SPF & DKIM so are likely to be delivered to the recipient.
One had a zip attachment containing a macro enabled word doc. The second was a .rar with a .exe inside it. The word doc contacts a remote site & downloads a .exe file which is identical to the exe file inside the .rar. The word doc uses macros on close, so a victim doesn’t realise anything is happening until after they close word.
Remember many email clients, especially on a mobile phone or tablet, only show the Name in the From: and not the bit in <domain.com >. That is why these scams and phishes work so well.
Prise list.zip extracts to Prise list.doc
[...]
This encrypts almost everything on the computer including it appears its own dropper
The encrypted files get renamed to email-biger[at]x-mail.pro.ver-CL 1.5.1.0.id-2094653670-9835384014918344629827.fname-Prise list.doc.doubleoffset
The ransom text which is in every folder as well as a displayed version on desktop asks you to email the criminal to get decrypted
Your files was encrypted! To decrypt write us
biger[at]x-mail.pro
biger[at]x-mail.pro
biger[at]x-mail.pro
(edited for security reasons)
[...]"
More information on the format of the mail spam to be found on the source.
https://myonlinesecurity.co.uk/new-ranso...l-version/