Spam campaign baits users with Visa Total Rewards emails containing malware that leads to Trojan.Cryptolocker.N infections. Spam related to credit cards is a typical scam observed on a daily basis. Some attempt to fool recipients into giving up their personal information along with their credit card numbers in the form of phishing attacks, while others attempt to lure victims into various online scams. On the other hand, credit card-related spam campaigns involving malware are not as commonly seen. Symantec Security Response has, however, recently observed a spam campaign offering fake Visa rewards and benefits as bait to deliver ransomware to recipients’ computers.
Figure 1. Malicious spam contains a fake whitepaper—an archive file containing JS.Downloader
Figure 2. JS.Downloader downloads TeslaCrypt ransomware, which informs victims their files have been encrypted
The ransomware provides more information to victims on a personalized home page and demands a payment of US$500 (or 1.2 bitcoins) within 160 hours of infection in order to unlock the encrypted files. If the transaction is not made within the specified time frame, the price doubles to $1,000. This page provides a contact form that offers assistance in case of payment issues or any other problems the victims may run into. There is also an opportunity to decrypt a single file for no fee to prove that the files can be properly decrypted.
Figure 3. Victims are given 160 hours to pay US$500 (1.2 BTC) to have their files decrypted, after which the demand doubles
The vast majority of the spam is being distributed to English-speaking countries, with the UK (40 percent) and the US (36 percent) most targeted. Other regions around the globe are affected as well, as seen in Figure 4.
Figure 4. Majority of the spam is being distributed to the UK and the US
Figure 5. Traffic observed on Symantec Email Security.cloud
A full protection stack helps to defend against these attacks, including Symantec Email Security.cloud which can block email-borne threats, Symantec Web Security.cloud blocking web-based threats, and Symantec Endpoint Security.
Symantec and Norton products protect against the threats involved in this campaign with the following detections:
Tips on protecting yourself from ransomware
- Regularly back up any files stored on your computer. If your computer does become infected with ransomware, your files can be restored once the malware has been removed.
- Always keep your security software up to date to protect yourself against any new variants of malware.
- Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by attackers.
- Delete any suspicious-looking emails you receive, especially if they contain links or attachments.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.