New versions of the Cryptowall ransomware hitting email inboxes may appear innocuous, but it can encrypt files on systems demanding money from victims to unlock the computer.
Cryptowall is an advanced version of Cryptolocker, a file-encrypting ransomware.
An email blast went out in February, targeting users from around the world, including the U.S., UK, the Netherlands, Denmark, Sweden, Slovakia and Australia, said researchers at Bitdefender Labs. Following analysis, the spam servers appear to be in Vietnam, India, Australia, U.S., Romania and Spain.
“Interestingly, in this instance, hackers have resorted to a less fashionable yet highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents – malicious .chm attachments,” said Catalin Cosoi, chief security strategist at Bitdefender.
“Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed,” Cosoi said.
Once the content of the .chm archive ends up accessed, the malicious code downloads from this location http:// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.