Skip to Content

Top Story: Ransomware spreading through fake email notices from prosecutors

It’s the most wonderful time of the year! Yes, Christmas season is here and everyone has the jolly spirit.

Wait, Christmas was more than two weeks ago. So why is there Christmas themed ransomware going around right now?

That’s right, scammers are sending malicious emails that will infect your gadget with the Merry Christmas ransomware. It’s possible that this scam is coming from Russian or Eastern European actors since Orthodox Christians don’t celebrate Christmas until January 7. This means this would be a reasonable time-frame.

How Merry Christmas ransomware attack works

Cybercriminals are sending malicious spam emails to unsuspecting victims. There are two different versions of the emails and they both claim to be from official sources.

One email claims to be a notice from the court. It says that the email’s recipient has been using illegal software and they must attend a hearing in the court of their city. Here is an example email:


source: SANS Internet Storm Center

For more information on the case, a link is provided. Once you click on the link, an executable zip file that looks like a PDF document is downloaded.

It’s not really a PDF, there is a Word document hidden in the zip file that will run Macros and install the ransomware. If you don’t have Macros enabled on Word, the ransomware can’t run.

If Macros are enabled, the ransomware will be executed and your files will be encrypted. Here’s an example of the ransom note:


source: SANS Internet Storm Center

The second malicious email works exactly the same as the one claiming to be from court. The difference is, this one claims to be from the Federal Trade Commission.

The email says the recipient’s company is being investigated for violating the Consumer Credit Protection Act. There is also a malicious link disguised as a PDF document. Clicking on it results in the same ransomware attack as described above.

The Merry Christmas ransomware attack has been evolving since its discovery. The MalwareHunterTeam recently found a version of this ransomware attack that also deploys DiamondFox malware.

Essentially, DiamondFox is data stealing botnet malware. Click here to learn more about it.

Handling a ransomware attack

Some law enforcement agencies have recommended not paying if you are a victim of a ransomware attack. The theory is there is no guarantee that you will get your files back. Some of the criminals behind these attacks have claimed to return victims’ files once they pay but actually, the files are deleted the moment the gadget is infected.

Obviously, it’s best to not be infected with ransomware. With that in mind, here are some recommendations from the FBI to prevent ransomware attacks:

  • Back up data regularly – this could be the best way to recover your critical data if you are infected.
  • Make sure your backups are secure – do not connect your backups to computers or networks that they are backing up.
  • Never open risky links in emails – don’t open attachments from unsolicited emails.
  • Download only trusted software – make sure the software you download comes from trusted sites.
  • Have strong security software – This will help prevent the installation of ransomware on your gadget.

If you want to learn more about ransomware, listen to our podcast on how to avoid ransomware pitfalls.

Avoid ransomware pitfalls - don't get trapped by hackers' newest snare

More stories you can’t miss:

Easiest way to backup your smartphone

A traveler’s guide to taking a smartphone abroad

New phishing scam uses PDF attachments to trick you into clicking App background

Check out the free App!

Get the latest tech updates and breaking news on the go, straight to your phone, with the App, available in the Apple Store and Google Play Store.

Download Now