eScan, one of the leading Anti-Virus and Content Security Solution providers warns IT users of a Ransomware that has been creating havoc in the Indian sub-continent since January 19, 2015 evening IST. The Ransomware has the capability to encrypt all the user document files stored in the systems that are infected by it. Further to which, it demands Ransom of 8 Bitcoins to decrypt them.
How could this happen?
eScan detects this as Trojan.Agent.BHHK. This Ransomware enters into the system through an email by masquerading as a FAX receipt / pages. It then compels users to save the attached compressed file and execute the file contained within it, in order to view the FAX. The file when executed encrypts all the user document files and asks for a ransom of 8 Bitcoins which is approximately 1600 USD.
One of the malicious emails has been re-produced as below:
Image 1 – How the malicious email looks like.
Image 2 – The executable file which exists within the compressed file.
Image 3 – Message displayed demanding Ransom after the system is infected and the documents are encrypted.
It is to be noted that in near future, cyber criminals may choose to change the icon of the executable in order to make it look like a Word Document or a PDF file. As the number of incidents of computer systems getting infected by this Ransomware is on rise and almost all of the reported cases are from the Indian Sub-Continent, we at eScan are issuing an advisory so that further infections are prevented.
How to avoid this?
- Here are few preventive steps that eScan suggests for end users and administrators:
- Do not save / open attachments which are specifically related to FAX receipts.
- Exercise caution while handling emails whose subject contains the word FAX / pages.
- Be wary of opening emails from unknown sources.
- Update your Anti-virus software. Ensure that mail gateways are properly fortified with the blocking and scanning mechanisms.