Ransomware / Cryptolocker

malware

In the last couple of days we detected a high number of distribution campaings for the Ransomware/Cryptol0cker.

Received files are in particular .js and .doc and the e-mail subject has the prefix “Contratto” and 6 decimal numbers:

 

Contratto [XXXXXX]

Example:

Contratto 129917

Contratto 165738

 

Files’ name enclosed have the following pattern:

[XXXXXX].doc

[XXXX].js

 

Example:

447095.doc

5044.js

 

Files execute the Ransomware/Cryptol0cker at the following URL: 

hxxp://twentymind.tw/file/dew.fgh

 

Downloaded file has the following MD5:

6526CF077EA67E41F643F5357C20AFBC