Sign in / up

back to article Poison résumé attack gives ransomware a gig on the desktop

Security researchers are focussing their crosshairs on what appears to be high-volume spam and exploit campaigns to deliver the latest iteration of the Cryptowall ransomware. Boffins from the SANS Institute, Cisco, and MalwareBytes have identified a dangerous if goofy spam campaign slinging the nasty ransomware masquerading as …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Ole Juul

    just thinkin'

    "specifically by way of an Adobe Flash exploit"

    So, in the same way that BitTorrent enables "illegal filesharing", and Tor enables "terrorism", so Adobe enables extortion. Something doesn't compute.

    8 0 Reply

    1. This post has been deleted by its author

      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: just thinkin'

        Extortion is ALWAYS a service, whether it comes from the state or non-state actors.

        Clearly we need a Jeeves icon.

        2 0 Reply
  2. Ashton Black

    Not huge amounts of sympathy.

    "Cryptowall is being cloaked under the file name my_resume.zip and has been sent from Yahoo email addresses. The extracted files are screen savers that, when executed, download Cryptowall from compromised servers."

    An enterprise network connected to the net need to be whitelisting all the software upon it in addition to preventing standard users from executing ANYTHING, without permission. Not to mention AV, Firewall and other Endpoint security measures.

    A simple "Please send your CV in ".doc or PDF only" helps (not perfect, but there you go) too.

    1 0 Reply
    1. jonathanb Silver badge
      Reply Icon

      Re: Not huge amounts of sympathy.

      Even so, how many HR drones would open a cv.pdf.scr file? Remember that the .scr is usually hidden, and as an executable, it can have a PDF document icon.

      0 0 Reply

  3. This post has been deleted by its author

    1. imanidiot Silver badge
      Reply Icon

      You do know the intelligence level of the average (l)user right? Finding the powerbutton before their first coffee in the morning is already pushing it.

      4 0 Reply
      1. Richard Pennington 1
        Reply Icon

        No, pushing the power button is a job for the second coffee of the morning.

        5 0 Reply
        1. RyokuMas
          Reply Icon
          Facepalm

          Anyone stupid enough to run an screensaver executable that's packaged up in a zip file titled as a resume deserves everything they get.

          Call it darwinism in action on a cyber-scale.

          2 0 Reply
          1. Alistair
            Reply Icon
            Windows

            "Anyone stupid enough to run an screensaver executable that's packaged up in a zip file titled as a resume deserves everything they get."

            Whist I'd tend to agree with your sentiment, I'll point out that a large number of those idiots work in the same places as a lot of the commentards here. And the idiot will not be tasked with mopping up the mess. It will far more likely fall to the folks that read this site regularly and comment about how stupid these end users are.

            That said -- they mention a compromised wordpress site. And I'm pretty sure there are some sigs to add to the blacklists.

            3 0 Reply
            1. The Dude
              Reply Icon

              Got one this week

              Just got this one at a client site this week. Got all the files restored on the server, but it seems to have really messed up the computer too. Wipe and reload, I guess.

              0 0 Reply
          2. imanidiot Silver badge
            Reply Icon

            The problem nowadays is that windows seems to default to "Hide known file extensions". Which is a pain in the arse as it makes it impossible to differentiate between files. A user might never even see a file is a screensaver and not a document.

            (Or as I have to deal with, 8 different files with a known and thus hidden extension with EXACTLY the same name, generated by an automatic system, but not always in the same order. And then the file options being locked by IT so I can't undo it. Good luck finding the right files after doing a few measurements...)

            0 0 Reply
            1. Crazy Operations Guy
              Reply Icon

              On my network, I force the file extensions to be shown...

              0 0 Reply
              1. gollux
                Reply Icon

                And block zip file attachments in your email client. They're mostly only ever used as attack mechanisms anymore.

                0 1 Reply
                1. jonathanb Silver badge
                  Reply Icon

                  It is also used to for example send all the invoices for the month to the accountant. They will be saved in a folder along the lines of sales/2015/06, zip up the folder and send 06.zip to the accountant.

                  0 0 Reply

      2. This post has been deleted by its author

    2. poohbear
      Reply Icon

      resume.pdf.scr, and rely on the brain-dead windoze default of 'hide file extensions of well-known file types' ... That 'feature' of windoze is greatly complicit in virus spread.

      2 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like