An email has been going around recently, purporting to be from energy company AGL, that represents a fake bill, then sends you to a fake webpage to download a copy. What you get instead is a .zip file that when opened, encrypts your entire machine and prevent you from using it until a ransom is paid, this is known as Ransomware. Your options are to pay up, or wipe the machine and start over. Some ransomware variants will also attempt to infect other devices on your network, including other PC’s and NAS backup devices and encrypt them as well.
This particular variant of ransomware requires a bit over 1.2 bitcoin to be paid, or $640 USD to be exact (around $880 AUD) to be unlocked. Worse still, even if you pay to unlock it, the malware remains on the PC and will continue to record keystrokes and mouse movements until removed. Fairfax reports that so far over 10,000 people in Australia have fallen victim to the scam, which targets users of large corporations hoping to get them to infect those networks with the aim being to gain access to “legitimate corporate emails which can be used to send the scam on”.
An analysis by Check Point (a malware monitoring website) found that at least 10,000 people had downloaded the ransomware module and were “very likely to have been infected” while many more “could have been affected”. The fake website used in the scam uses domains such as “checkyourbills.com” and “electricitybill.com” to look legitimate. However there are several signs that this email is not legitimate.
The first is the .zip file it wants you to download. Companies do not normally send out a .zip file, they will send a .pdf or something similar for a textual document like a bill. You should never open a .zip or .exe file from a source that you do not trust, and even then verify the source is legitimate not pretending to be something you trust. Also attempting to open the .zip file on a Mac or Smartphone gives an error message prompting you to use a Windows PC, another sign that something is not right.
Any users that have received the email should delete it, run antivirus and anti-malware software, and add the sender to their junk email list. ACTEW AGL had this to say on the matter:
The scam email presents as an e-Account and asks readers to click on a link, AGL advises it will never send an email asking for personal banking or financial details.
Anyone receiving a suspicious email should delete it immediately or, if opened, not click on any links within the email. Anyone with concerns relating to this scam email should call AGL on 131 245 or contact Scamwatch on 1300 795 995.
If you have been infected, and are planning on paying the ransom, please consult with an IT Professional. You will need to make sure the malware is properly removed after recovering the system and it wouldn’t hurt to involve the IT Pro in the payment phase as well so you can avoid common Bitcoin mistakes.