Malspam campaign spreading three varieties of ransomware

After a two-month drop in volume of incidents, the Sigma ransomware is spreading again with an email campaign purportedly from someone looking for a job pushing an infected Microsoft Word resume.

That’s the conclusion of security researcher Brad Duncan, who writes regularly on the SANS Institute’s Infosec Handler’s Diary Blog. The sending addresses, subject lines, email headers and message text are varied but the Word document attachment is named ” resume.doc”(in some cases with a capital R) with a space before the first letter. It’s part of a campaign with the same method that is also spreading the GlobeImposter and GandCrab ransomware.

As early as Friday of last week, Duncan reports, this campaign started using password-protected Word documents. The email message to the recipient says something like the attached file is password protected to protect against identity theft, with the password “resume.” Opening the document prompts the user to enter the password, and then a request to enable macros. Those macros that will cause the computer to retrieve a malware binary over HTTP using TCP port 80.

The malware then encrypts the victim’s hard drive.

In the case of Sigma ransomware Duncan found, the ransom demanded for a decryption key is $400 in bitcoin. The price one researcher found in November was $1,000.

The resume campaign Duncan found differs from the Sigma campaign discovered last November by other researchers. The email message in that effort was a threat that the recipient was about to be charged a certain amount of money on their Mastercard or Visa if they didn’t open the attached — and password-protected — file.

“As always, properly-administered Windows hosts are not likely to get infected,” writes Duncan.  To infect their computers, users would have to bypass Protected View and ignore security warnings about activating macros on a Word document.  System administrators and the technically inclined can also implement best practices like Microsoft’s Software Restriction Policies (SRP) or AppLocker to prevent these types of infections.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now