Revival of UPS Themed Malspam
Based on recent activity being monitored via CYBONET’s PineApp Mail Secure global install base, we have noticed a return of the fake UPS cannot deliver malspam, this time with an updated NemucodAES ransomware. The malspam is presenting itself with a few different variations of the subject header ‘Problems with item delivery, n.[parcel number]’, and these emails are automatically being blocked and quarantined by our customers’ PineApp Mail Secure systems. Please see an example below:
Same Emails, Different Method
The malspam emails have reappeared with the same basic characteristics that they displayed before, with emails seeming to come from UPS, FedEx and the like. The attachment to the spam email contains a JS file that, when opened, will download PHP and a PHP script, which is the actual ransomware component. Once started, the PHP script scans the drives for targeted files and encrypts them.
Unlike most other ransomware infections, with this NemucodAES ransomware your files become encrypted without changing file names or file extensions, and you only discover that your files have been encrypted if you try to open them or see the changed desktop background and ransom note - containing the ransom amount and payment instructions – as per the example below:
Often an anti-virus comes into play and removes the malware files and the desktop warning, in which case the encryption is only revealed when the user tries to open his/her files.
Decrypting your Files
If you have seen the above Decrypt.hta ransom note with the bright red background and payment servers that have the ‘counter’ string in their URL, you are a victim of NemucodAES. Fortunately a decryptor for this ransomware has just been released, and instructions can be found at Bleeping Computer.
Quarantined by PineApp Mail Secure Prior to Encryption
Better still is to avoid infection in the first place, and CYBONET’s PineApp Mail Secure allows you to do just this, by blocking the malspam emails – see screenshot of the offending emails quarantined by the solution’s Mail Traffic Management below:
CYBONET’s PineApp Mail Secure helps by blocking 99.7% of spam and viruses and protecting your email traffic; both inbound and outbound. It neutralizes Advanced Persistent Threats and guards against zero-hour viruses, malware and ransomware with a multi-layer anti-spam and anti-virus system that identifies and blocks the likes of the zero-hour virus found in these UPS malspam emails: