State and local government agencies as well as educational institutions in the US are now the targets of CryptFile2 ransomware. And, to achieve its goal the ransomware is sending out "hundreds of thousands" of spam emails. Hackers are also targeting other organisations like health care, technology companies, telecommunication firms and insurance agencies, however, to a comparatively lesser extent, according to security researchers at ProofPoint.

Between 3 and 9 August, researchers detected a surge of email spam messages distributed via the CryptFile2 ransomware. "The current campaign is the first large email-borne campaign observed for the ransomware. This campaign began with hundreds of thousands of messages on August 3, and continued with a long tail of only several thousand messages each following day," ProofPoint said.

The emails sent out by the ransomware had various subject lines and "convincing" content designed to lure victims into clicking on malicious links. The subject lines referenced American Airlines and were titled, "AmericanAirlines discount, AmericanAirlines free 100$, Bonus from AmericanAirlines, Free fly with AmericanAirlines".

"Bucking the more common trend of attaching malicious documents to emails, this campaign used embedded malicious URLs that led recipients to download Microsoft Word documents. If opened, these documents employ a social engineering lure to entice the user to enable malicious macros. The macros, in turn, download the final ransomware payload," ProofPoint explained.

Ransomware spam campaign targeted US government and educational institutions
The emails sent out by the ransomware had various subject lines and 'convincing' content designed to lure victims into clicking on malicious links iStock

According to a report by Softpedia, CryptFile2 belongs to the CrypBoss ransomware family and unlike other variants of the same, security researchers are yet to come up with a decryption code for CryptFile2.

The ransomware was previously found to infect victims via the Neutrino and Nuclear exploit kits, however, now CryptFile2 appears to have upgraded to a spam email campaign. "The number of ransomware instances in the wild continues to increase, with new variants appearing regularly. As this campaign and others like it demonstrate, sheer numbers of variants are not the only risk for users," ProofPoint said.

"Rather, shifting vectors and changing delivery methods require organizations to employ comprehensive protection solutions across both gateways and endpoints to avoid infection. In particular, the targeting in this campaign made possible through email distribution, brings increased risks to public sector organizations that may be less equipped to detect and mitigate these kinds of threats. Organizations that do not update defenses to detect and stop this latest generation of ransomware threats may find themselves in the difficult position of having to pay the ransom, which carries its own set of risks," ProofPoint added.