Security researchers from Check Point came across a new Ransomware campaign targeting Human Resource departments. The attack start by an email pretending to be a job application. The email contains a brief message from the applicant and two attachments, a PDF file and an Excel document.
The PDF file is non malicious cover letter which trick the receiver into believing that the email is legitimate. The second document, is a macro-enable Excel file containing a picture of a flower with the word "Loading..." . A text asking the victim to enable the content can also be seen.
As soon as the receiver enable the content, the macro in the excel document is executed and the encryption process of the files is started, preventing the user from accessing the files. Once encryption is completed, the victim is presented with a note: “YOUR_FILES_ARE_ENCRYPTED.TXT” .
The device is then automatically rebooted and a fake “chkdsk” screen is displayed while the disk is been encrypted.
After disk encryption, the victim is presented with the below screen where steps to decrypt their disk has been given.
We advise people from HR departments to remain alert. Make sure a robust anti-Ransomware software is running on your device. Scan all downloaded document before opening.
Source: [CheckPoint Blog]