Xavier Mertens at the SANS Internet Storm Center:
“Bad guys need to constantly find new ways to lure their victims. If billing notifications were very common for a while, not all people in a company are working with such kind of documents. Which types of notification do they have in common? All of them have a phone number and with modern communication channels… everybody can receive a mail with a voice mail notification. Even residential systems can deliver voice message notifications.”
One of the currently most prevalent ransomware strains called Cerber has even experimented with text-to-speech synthesizers to threaten victims to pay the ransom.
This new voice mail attack email arrives with an attachment, which supposedly contains a voice message, in a .wav file compressed in .zip folder. The folder actually contains hidden malicious code that will install ransomware and renames files to [original file name].crypted.
The delivery mechanism may be exploiting the fact that missed call notification emails are enabled by default in Microsoft Outlook.
Consumers appear to be the first target of this ransomware campaign according to Mertens. The initial phishing attack campaign contained a voice message regarding a modem from Vigor, a UK distributor of ADSL modems for the residential market.
Here is the blog post with a screenshot, showing how this looks: