Craigslist has always been considered something of an unpredictable blessing. The reason for that is the unpredictable nature and tenacity with which both the site and its users deal with the site’s options. For example, there have been several reports throughout the years of kidnapping gangs and extortionists using Craigslist to lure and kidnap several people. The site’s owners have in most cases offered a stricter membership procedure but it has not meant anything legitimate in all these years.
This week, it came forward that a new self replicating virus was menacing users using Craigslist’s mail spam campaign while pretending to be an official Craigslist account. Not only is an effective means to infect several Craigslist and non-Craigslist customers, but it is also a potent way of ensuring the efficient distribution of the Sigma Ransomware. The email being sent comes with a password protected Word or RTF file which automatically downloads the Sigma Ransomware executable from the remote sit and keeps installing it on as many computers as it has access to.
The email comes with its own unique subject line which targets each user randomly and is related to a variety of subjects. The most common of the subjects is job postings on Craigslist, which has been labeled “Gigs”. A similar Sigma malspam was witnessed last year which came in the form of resumes or CVs from successful candidates and tips with how they can make their CV look just as impressive. A similar passport protected Word file or RTF was attached with them as well.
The downloaded password protected file will then request the user to enable the editing option on the file. Once the user does this, an embedded VBA script will be launched which will simultaneously download the Sigma Ransomware. The software also contains a svchost.exe file which will begin encrypting the computer and all the files on it.
As opposed to most ransomware, users won’t find a different attachment attached to these. But there is a file marker and an encrypted code that comes attached to each file. There is also a ransom note attached which directs the users on how they can pay the ransom amount and the exact details of how the payment should be made. As of right now, the payment would be $400, after 7 days it would double to $800.