Fake “Incoming Fax Report” emails lead to crypto-ransomware

Once again, fake “Incoming Fax Report” emails carrying malware are being sent out to random users. Given the popularity of online fax-sending services, there are likely to be many victims.

The email takes the same, often repeated form:

Most of the time, the subject of the fake fax is something related with payrolls, or an internal report, and the malicious file is hosted on an online file storage account and linked to from the email.

In this case, the email carries the malware in the attachment.

According to Dr. Web researchers, the file – a SRC file – is a Trojan downloader which, once run, extracts and launches encryption ransomware.

“The ransomware then encrypts data stored on the disk and demands a ransom for its recovery. Files affected by [the ransomware] do not have their filename extension changed, but get the string ‘!crypted!’ appended at the beginning of their names. During the encryption process, the malware creates temporary files with the extension *.cry which are later deleted,” they explained, and pointed out that, unfortunately, it’s currently impossible to decrypt files affected by this crypto-ransomware.

They don’t tell which one it actually is, but the category the file it under – Trojan.Encoder.514 – is the equivalent of Microsoft’s Win32/Crowti.A, which corresponds to the infamous Cryptowall.

Users are advised to regularly back up their important files, and to think twice about opening attachments or follow links from unsolicited emails.

Seeing that this particular type of malicious email campaign is mounted every few months, this will surely not be the last time users are warned about it. Unfortunately, It only takes a moment of distraction for it to succeed.