Microsoft is Warning Christmas Shoppers about Ransomware

CISA's Patch by Tonight Emergency Directive

In a new post on its Malware Protection Center blog, software giant Microsoft has warned customers about ransomware cybercriminals targeting online shoppers through a phishing campaign.

Cybercriminals and malware authors are pushing Cerber, a strain of ransomware through a phishing campaign that purports to notify targets about impending charges on their credit cards. The ‘helpful’ email also provides instructions on how to avoid these charges, via an attached document. Unsuspecting individuals are vulnerable to fall prey to the phishing scam, which delivers a the Cerber ransomware instead.

The emails aren’t without their flaws and close scrutiny reveals a number of red flags. For instance, the sender’s name at the foot of the message has no relation to the email address it was sent from. Digits are missing from the supposed pending charges.

Highlighting the flaws, the Microsoft blog read:

The email itself is crude and shows almost no attempt to feign legitimacy. It contains some typographical errors, such as the missing number between the dollar sign and the comma in our sample. Also, users who are careful enough will likely notice that the sender address does not match the signatory.

Still, the emails are deemed effective malware vectors as they push for an urgent remedy by insisting that victims open the attached document. The payload, is a macro downloader embedded in a Word document. Although all editions of Word from Office 2010 disables Macros by default in ‘Protected View’, the authors behind the malware even detailed instructions to enable macros in order to trigger the payload.

The Cerber ransomware is often found in Russian underground forums and is notably geofenced. Meaning, the ransomware initially checks to see if the potential victim is located in Russia or in any one of the former Soviet states. If the victim is located in the region, the ransomware won’t run.

Microsoft recommends Windows users to update the software firm’s built-in security software Windows Defender to the latest definitions to detect and avoid the strain of ransomware.