There is a new ransomware making the rounds which is typically initiated from an email attachment. Below is a picture of the original message received.
The new version started making the rounds yesterday: June 5th. Instead of an attachment, the email contains a link to a fax and lists Dropbox.com as the host. Once clicked, the virus installs and starts encrypting all your files on your local hard drive and any network shares you have as well. Once it has encrypted the local drive, it will pop up a warning stating it has encrypted your files with instructions on how to pay to get the decryption key. Any folder that has been encrypted will have three files named Decrypt Instructions. IF YOU HAVE REACHED THIS POINT, YOUR ONLY OPTION IS TO PAY AND HOPE THEY STICK TO THEIR WORD OR RESTORE FROM BACKUPS IF YOU HAVE BACKUPS OF YOUR LOCAL FILES. It can also encrypt your program files so a complete wipe and reinstall with no recovery of old files may be needed.
The email states it comes from fax@yourdomain. It then goes on to state that it comes from a printer in your organization but usually it is a model you do not own. There is then a link to a Dropbox file that is the actual infection. This is probably a Dropbox account that has been hacked and is being used without the owner’s knowledge.
The best method to avoid items like this is to delete and ignore. If you are not certain about the email, never take the risk. If you are expecting a fax, check with the sender to see how they sent it.
From: fax [mailto:fax@ooooooo]
Sent: Thursday, June 05, 2014 10:30 AM
Subject: You’ve received a new fax
New fax at SCAN2185609 from EPSON by https://oooooooo Scan date: Thu, 5Jun2014 15:30:14+0100 Number of Resolution: 400x400 DPI
You can download your fax message at:
(Dropbox is a file hosting service operated by Dropbox, Inc.)