Skip to content ↓ | Skip to navigation ↓

A spam campaign is touting the benefits of Visa Total Rewards as a lure to trick users into downloading Teslacrypt ransomware onto their computers.

Joji Hamada of Symantec explains in a post to the company’s Security Response blog that the fake emails come with an archive file attachment.

The document purports to be a whitepaper containing information about the benefits of Visa Total Rewards. In actuality, it is an obfuscated JavaScript file (detected as JS.Downloader) that if opened downloads Teslacrypt ransomware onto the victim’s machine.

Once the ransomware payload has executed, a ransom message appears on the infected computer.

On a separate page, the malware authors demand a payment of 1.2 Bitcoins (approximately US$500) from the victim within 160 hours in order for the user to regain access to their encrypted files. If that transaction is not received or processed in time, the ransom doubles to US$1000.

teslacrypt ransomware
Source: Security Response

The ransomware developers provide victims with instructions on how they can purchase Bitcoins to ensure the success of their attack. They also provide users with the option of decrypting one file for free.

A majority of the victims affected by this spam campaign are located in English-speaking countries, with the United Kingdom and the United States accounting for more than three-quarters (76 percent) of the fake emails’ distribution.

The spam campaign has been active since February 17. Hamada explains that the peak may have passed already. However, that’s not to say the Teslacrypt authors couldn’t renew the campaign’s vigor in the coming days or weeks.

“We may also come across spam runs using similar baits, so users need to be wary when receiving these types of messages in their mailboxes,” the researcher warns. “Users must be especially vigilant if the email has an attachment with a JavaScript file inside, which is highly unusual.”

Users should keep regular back-ups of their data as well as avoid opening files attached to suspicious emails.

For more information on how you can protect yourself against a ransomware attack, please click here.