TeslaCrypt Posing as USPS in Ransomware Campaign

Written by

AppRiver have issued a warning over a current TeslaCrypt Ransomware campaign which mimics the United States Postal Service (USPS).

According to the company, TeslaCrypt are targeting users with emails that have USPS colors and graphics, including an attachment which is supposed to be an invoice receipt of a failed delivery attempt. Within the zipped archive file is a simple short obfuscated javascript file that acts as the downloader.

The filenames being used are USPS_delivery_invoice[.]zip for the archive and within, the javascript files use the following naming convention – invoice_[random string] .js, invoice_copy_[random string] .js, or invoice_scan_[random string] .js.

Once executed, the javascript downloader reaches out to one of several websites including: mafiawantsyouqq[.]com, lenovowantsyouff[.]com, whereareyoumyfriendff[.]com, lenovomaybenotqq[.]com, and ikstrade.co[.]kr to pull down files such as 93[.]exe, 45[.]exe, and 26[.exe] among others using the same naming convention. Some versions also reach out to make an http post command to salaeigroup[.]com.

Fred Touchette, Manager of Security Research at AppRiver, advised users to "Remain aware and vigilant as these ransomware attacks show no real sign of slowing down, in fact they seem to be highly effective.”

PandaLabs Technical Director Luis Corrons told Infosecurity that campaigns such as this can be extremely damaging, especially for small- to medium-sized companies, who can find themselves in a situation where they are forced to pay the demands of the hackers or face the closure of their business. 

However, he explained there are several things organizations can do to be as protected and prepared as possible.

These include ensuring antivirus protection is integrated with “proactive technologies that can block ransomware”, educating users by “showing them examples of these types of fraudulent emails” and making sure “software is updated in all endpoints and servers to stop infections via exploit kits.”

What’s hot on Infosecurity Magazine?