CryptoWall Infection via PDFs

CryptoWall Infection via PDFs

A newly detected drive-by attack encrypts files and documents then demands payment to decrypt data.

PDF-based malware being found embedded in legit PDF files. Meaning they have been modified after they were created.

PDF’s have become the “paper” of the internet and are crucial in our ability to share protected information. However keeping Adobe Reader current is just not on most people’s radar. Unfortunately it’s time for that to change. There is a new internet threat that’s going to be a problem to address throughout the business world unless an organization commits to an immediate upgrade throughout. While this might not be an issue for many organization, it is for some. Especially if your organization intentially do not upgrade Adobe Reader based how it has been integrated in the business world.

One more reason for keeping your Adobe Systems software up to date. Sophos Ltd. security consultant Graham Cluley is reporting a new ransomware attack that hits computer users via a drive-by vulnerability on compromised websites. Victims are suddenly presented with a message that their files have been encrypted and that they will need to pay $120 to regain access to them. Early investigations indicate that the attacks are delivered using an Adobe PDF exploit, but that hasn’t been confirmed. The attacks affect a wide range of media files, such as .jpeg images and .mpeg audio files, as well as Microsoft Office files. Affected files have their names changed to include a new suffix called .ENCODED.

Researchers at SophosLabs are analyzing a new ransomware attack that appears to have hit computer users via a drive-by vulnerability on compromised websites.

Malicious hackers are spreading the ransomware, which encrypts media and Office files on victim’s computers, in an attempt to extort $120. In a nutshell – you can’t access your files because the malicious code has encrypted them (in our observations, the whole file isn’t encrypted – just the first 10% or so), and the hackers want you to pay the ransom if you want your valuable data back.

The attack, which Sophos detects as Troj/Ransom-U, changes your Windows desktop wallpaper to deliver the first part of the ransom message.

 The main ransom demand is contained in a text file:


All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself – just look for files in all folders.

There is no possibility to decrypt these files without a special decrypt program! Nobody can help you – even don’t try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.

For details you have to send your request on this e-mail (attach to message a full serial key shown below in this ‘how to..’ file on desktop): [email address]

The HOW TO DECRYPT FILES.txt file gives an email address to contact if you wish to recover your data. In addition, there is a fingerprint hex-string in the file which changes between successive runs – the message says that victims must quote this string when making contact (presumably it is related to the actual key used for decryption).

Users have reported to us that they have received the attack via a malicious PDF which downloads and installs the ransomware. Sophos detects the PDF as Troj/PDFJS-ML.

Files with the following extensions can be affected: .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx. The easiest way to identify files that have been meddled with is that their filenames will have been changed to include the suffix “.ENCODED”.

Of course, we don’t recommend paying money to ransomware extortionists. There’s nothing to say that they won’t simply raise their ransom demands even higher once they discover you are prepared to pay up.

This is just another reason it is important to ensure that you keep all of your software and operating system parches up to date. This is something that is rartely thought about until we have an event like this in which it is then too late.

If you have questions or need assistance on issues liek this, please do not hesitate to contact the Kreative Technical Services team at or 678-680-4911.