Views:
  • Ensure Trend Micro Products are updated.
  • Always check who the email sender is. If the email is supposedly coming from a bank, verify with your bank if the received message is legitimate. If from a personal contact, confirm if they sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of spammers as well.
  • Double-check the content of the message. There are obvious factual errors or discrepancies that you can spot: a claim from a bank or a friend that they have received something from you? Try to go to your recently sent items to double-check their claim. Such spammed messages can also use other social engineering lures to persuade users to open the message.
  • Refrain from clicking links in email. In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly. If you have to click on a link in email, make sure your browser uses web reputation to check the link, or use free services such as Trend Micro Site Safety Center.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task.
  • Be aware of social engineering attacks to be safe.
  • Backup important data. A safe computing practice is to ensure you have back-ups of your files. The 3-2-1 principle should be in play: three copies, two different media, one separate location. Cloud storage services (such as SafeSync) can be a useful part of your backup strategy. For recovering files encrypted by ransomware, you may also use the Trend Micro Ransomware File Decryptor.
  • To ensure that new variants of this malware family is detected, we need to continue collecting samples so it can be submitted for analysis and added to the patterns and solutions if needed.
  • This is best done by filtering and blocking email attachments using Trend Micro's Messaging products. This link provides information on typical file types that carries the said malware, as well as the type of sample files that can be collected during an outbreak.
  • When collecting a sample spam mail with possible TROJ_CRYPWALL v3 involvement, please make sure to send the actual/original spam mail and not the forwarded spam.
  • Collect and submit spam and all quarantined samples for sourcing and analysis. For new cases you may upload 1 ZIP or RAR file (up to 50 MB) that is protected with the password "virus" to this link.
    FTP will be helpful for other samples. ZIP or RAR files that is protected with the password "virus"
    • SMEX and WFBS-Messaging Security Agent Quarantined mails
      Please resend all quarantined mails from MSA or SMEX server side to specific recipient for sourcing. To resend a message that is displayed in the Quarantine Log, place a checkmark in the box corresponding to that message’s row in the log and then click Resend. Spam from client side can be pulled out from either spam folder or junkmail.folders.
    • IMSVA Quarantined mails
      For IMSVA please download the files from the IMSVA console>Mail Areas & Queues>Query>Quarantine tab. Display logs then click specific emails to download copies.
  • If Trend Micro product, ATTK scan and other Trend Micro anti-malware tools did not find or detect any malware, do this procedure to collect suspicious samples and system information.
  • Normal filtering configuration should be reverted once the alert has passed.

For related reports, visit our Threat Encyclopedia.