Security Awareness Training Blog

    New CryptoWall Attack Uses Malicious Help File Attachments

    CryptoWall 3.0 RansomwareA new CryptoWall attack wave has hit end-users with phishing emails containing malicious .chm attachments that infect networks with the latest and most sophisticated file-encrypting ransomware. The latest wrinkle is that the fake "incoming fax report" email looks to the user to come from a machine in their own domain.

    CryptoWall 3.0 is the most recent version of the original Cryptolocker, which arrived on the scene in September 2013 and made 27 Million dollars in ransom over the first few months. This file-encrypting ransomware social engineers end-users by masking its malicious payload as an innocent attachment.

    Once the user opens it, the payload encrypts the files of all mapped drives and demands about $500 in ransom to be paid in Bitcoin. The current attack uses a new attachment: help files with the .CHM extension. Bitdefender Labs discovered the attack late February 2015

    It is targeting users from around the world, including the US, the UK, several European countries and Australia. The servers that send the attack are compromised machines distributed over Asia, India, Europe, Australia, US, Romania and Spain.

    “Interestingly, in this instance, hackers have resorted to a less fashionable yet highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents – malicious .chm attachments,” states Catalin Cosoi, Chief Security Strategist at Bitdefender.

    Catalin Cosoi adds, “Chm is an extension for the Compiled HTML file format, a type of file used to deliver user manuals along with software applications. These CHM files are highly interactive and run a series of technologies including JavaScript, which can redirect a user toward an external URL after simply opening the CHM. Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. It makes perfect sense: the less user interaction, the greater the chances of infection.”

    HTML files are compressed and delivered as a binary file with the .chm extension. This format is made of compressed HTML documents, images and JavaScript files, along with a hyperlinked table of contents, an index and full text searching. 

    We recommend to add .chm files to the list of potentially malicous extensions in your spam filters if it is not in there already, and to step your end-users through Kevin Mitnick Security Awareness Training so that they do not fall for social engineering attacks like this. Find out how affordable this is for your organization today.

    Get A Quote Now

     

    Hat Tip to Net-Security 

     

    Return To KnowBe4 Security Blog

    Topics: Phishing, Ransomware

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe To Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews