Ransomware Attack from Spam Emails Security Advisory AE-Advisory 16-30 Criticality Critical Advisory Released On 18 August 2016 Impact Encrypts all files on the affected target making them inaccessible. Solution Navigate to the Solution section for more information Affected Platforms Devices running Windows Operating System. Summary aeCERT has researched and found out about several entities that has been infected by email spams which contains a macro virus that has a ransomware attached. A ransomware is a malware which encrypts the data on any infected machine and will not be decrypted by the attacker until the victim pays the ransom that the attacker requested. Threat Details On the 16th of August 2016, two entities reported that they have been infected with a ransomware after some employees accidently clicked on the attachment of what seemed to be a spam email from [email protected] , which contained a macro virus. The next day other entities also reported that they have been receiving several email spams from the same email address. A macro virus is a virus written in macro language that infects software applications such as Microsoft Office (i.e: Microsoft Word, Microsoft Excel, Microsoft Powerpoint …etc.), this virus usually causes a sequence of commands/actions to be performed automatically when the program is opened or when the code is triggered, most of these applications have the extension ending with an M; which stands for macro (i.e: .DOCM, .XLM, .PPTM …etc). Solution As of now; the solution contains of mitigation strategies which can prevent having the discussed Ransomware. Individuals and organizations wishing to avoid being compromised by this should adhere to the following advice: Ensure that software on computers, servers and web applications is being regularly updated to prevent known vulnerabilities from being exploited Treat unsolicited emails with suspicion. Targeted attacks frequently distribute malware through malicious links and attachments in emails. Block all emails that are coming from [email protected] Keep security software up-to-date with the latest definitions Avoid files with the extension .DOCM/.XLM...etc. If a device is infected by ransomware the following steps should be taken in order to minimize impact: o Isolate infected machine(s). o Remove access to all the default Network shares the infected user(s) have access to. o Scan the machine(s) with updated Anti-virus. 2 Contact Us aeCERT P.O. Box 116688 Dubai, United Arab Emirates Tel (+971) 4 230 0003 Fax (+971) 4 230 0100 Email info[at]aeCERT.ae For secure communications with aeCERT with regards to sensitive or vulnerability information please send your correspondences to aeCERT[at]aeCERT.ae 3 .