Australian Immigration Daily News

Beware of resume emails bearing ransomware: Alert Priority High

Staysmartonline.gov.au have released information today which could affect migration agents, as people seeking to migrate to Australia will often send their CV / resume by email asking for an eligibility assessment.

You are advised to be wary of unsolicited emails purporting to attach resumes from potential job candidates. Malicious individuals are using these emails to deliver the CryptoWall 3.0 ransomware that can encrypt your files and require you to submit payment for the key to decrypt them.

The malicious emails come from a variety of addresses, including dustywarner[at]csi.com, MargaritoEverett[at]ebparks.org and SantiagoHenson[at]tom.com.

The email subject is typically ‘[first and last names of purported sender] – My resume’.

The email body generally reads:  ‘Hi, my name is [first and last names of purported sender]. I am herewith submitting my Resume under attachment for your perusal.

‘Thank you, [first name of purported sender here].

‘Attachment: [first and last names of purported sender] – My Resume.zip.’ 

A screenshot of a sample email is attached below.

 

The attachment is a .zip file which includes a single file named [first and last names of purported sender] MyResume.js. If a recipient of this email clicks on the .js file (JavaScript file), the file attempts to reach out to a list of servers and download .jpg files containing malicious executables that try to install the CryptoWall 3.0 ransomware.        

The attack appears to be targeting Australian companies and researchers indicate a new campaign may have been released on Tuesday last week.

When a user’s computer is infected with CryptoWall, the ransomware encrypts a range of file types with a strong encryption key. CryptoWall then typically displays a page to the user advising them their files have been encrypted and that they need to pay a ransom for the key to decrypt them. The message may also include a link to a website to make payment. 

It is important to note that for many victims, paying the ransom may lead to files being returned to normal. However, because you are dealing with criminals, you should be aware this is extortion and there are no guarantees you will regain access to your data. 

The criminals may not respond, they may increase their demands or they may attack you again. Unless you take preventative action, your computer will still have the same vulnerability that caused it to become infected in the first instance.

Staying safe 

Prevention is the best antidote to ransomware and other malware attacks.

Use spam filters and be cautious when opening emails, especially if there are attachments.

Make sure you are using a reputable security product.

Make sure it is up-to-date and switched on.

Make sure your operating system and applications are up-to-date.

Run a full scan of your computer—regularly.

Set and use strong and unique passwords.

Set passwords on all your hardware devices (modems and routers).                

Back up your data.

Keep a backup copy of your data in a safe place, disconnected from your computer and the internet.

Only visit reputable websites and online services.

Most up-to-date security software should identify and block ransomware. 

Recovery

The major problem with encryption based ransomware is that once your computer has become infected, the only way to recover your files is from a clean backup (if the backup has not also been encrypted) or by receiving the encryption key from the scammers.

If you have a clean back up of your data, you can use this to restore your files once you have re-established your system, free of infection.

You can also keep a copy of the encrypted files in case future events make decryption possible. Authorities may take down these ransomware gangs in the future and it might become possible to obtain the encryption key for your data.