Example of Cerber Ransomware

I had a client fall for a ransomware email yesterday so when I got a similar one I thought I would post it. Don’t open attachments unless you know what they are and are expecting them. I was about to say “I don’t know why you would think about opening this attachment” but then I realized since someone did I should explain why it’s suspicious on the face of it without even looking at the headers or tracking information:

  1. It says Fwd: timlanders – but it’s not a forward and most people would take the time to actually put my name.
  2. I don’t know a Jeanene Celenza which isn’t a deal breaker but it’s at least a small yellow flag considering its for almost $2,500.
  3. That’s one crazy email address.
  4. It was sent using a generic/free account – outlook.com, gmail.com, yahoo.com, etc. – it didn’t come from a business (one of the reasons I tell clients they should not be using gmail for business accounts).
  5. Hello timlanders – again, a legit email would most likely say “Tim Landers”.
  6. “You will be charged “- well, I guess this is the hook. Normally though you would have already been charged and they would have sent the receipt as a PDF so this is kind of strange.
  7. I do have a personal Visa so they got me there – but “on your personal Visa balance” – who would say that?
  8. To avoid the charge I have to open an attachment? Why don’t you just put in the body?
  9. You password protected the document and included the password in the email? What’s the point of that?
  10. “Faithfully yours” ? But I don’t know this person – seems a little personal in that case.
  11. What’s missing? A business name, contact information, some more info, a real subject?

Fortunately, the client sent a help request right away and I immediately got on and restarted the computer then got on and removed the script. Because we caught it early it had not hit the server and we were able to restore the few files it hit (he did not have much local data).