After a two-month drop in volume of incidents, the Sigma ransomware is spreading again with an email campaign purportedly from someone looking for a job pushing an infected Microsoft Word resume.
That’s the conclusion of security researcher Brad Duncan, who writes regularly on the SANS Institute’s Infosec Handler’s Diary Blog. The sending addresses, subject lines, email headers and message text are varied but the Word document attachment is named ” resume.doc”(in some cases with a capital R) with a space before the first letter. It’s part of a campaign with the same method that is also spreading the GlobeImposter and GandCrab ransomware.
As early as Friday of last week, Duncan reports, this campaign started using password-protected Word documents. The email message to the recipient says something like the attached file is password protected to protect against identity theft, with the password “resume.” Opening the document prompts the user to enter the password, and then a request to enable macros. Those macros that will cause the computer to retrieve a malware binary over HTTP using TCP port 80.
The malware then encrypts the victim’s hard drive.
In the case of Sigma ransomware Duncan found, the ransom demanded for a decryption key is $400 in bitcoin. The price one researcher found in November was $1,000.
The resume campaign Duncan found differs from the Sigma campaign discovered last November by other researchers. The email message in that effort was a threat that the recipient was about to be charged a certain amount of money on their Mastercard or Visa if they didn’t open the attached — and password-protected — file.
“As always, properly-administered Windows hosts are not likely to get infected,” writes Duncan. To infect their computers, users would have to bypass Protected View and ignore security warnings about activating macros on a Word document. System administrators and the technically inclined can also implement best practices like Microsoft’s Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.
