Phishing Example: Messages containing Locky malware

August 24, 2016

What makes this a Phishing message?

There has been a recent spate of email messages to campus containing the Locky ransomware virus in file attachments.  The format of the message content and style is very similar:

  • Note the suspicious email addresses - the formats are identical.  The first is from a domain site in Brazil.
  • Similar to spam messages generated by spambots, these messages have generic greetings and are not directed to a specific person.
  • Both have the same signature, with the same spelling mistake ("King regards").

Opening the attachment would result in encryption of all files on the computer (and possibly network shared drives) and a ransom message would appear on the screen.  The best way to recover from Locky is to restore the files from a clean backup.


Original Messages:

From: Curtis.8271@brasiltelecom.net.br
Date: Wed, 24 Aug 2016 20:29:58 -0700

Hello,

Please sign the attached contract with our technical service company for 2016 � 2017.
We would appreciate your quick response.


King regards,
Cynthia Curtis

(Digital-Signature: f0a0e01386d19b03736165288026cc97e325560c78700e95)

From: Richmond.87413@ontheriverwoodstock.com
Date: Wed, 24 Aug 2016 08:44:09 -0700

Hi,

The monthly financial statement is attached within the email.
Please review it before processing.



King regards,
Pete Richmond

(Topic-ID: b0b82053c611db43b3a1a568c0660cd72365964cb8b04ed5)

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu.  Be sure to include the entire text of the message, including the email header.