On Friday we had a call from a client who had opened an email proporting to be from HM revenue and customs, the email contained a zip file, within which was what looked like a PDF document, but was labeled as an “application”.

Due to the suspicious nature of this email and its content, we had the machine shutdown for a security check.

Once the machine was cleared we took the offending email and opened it from a segregated test machine just to see what results the opening of this file would have on the system.

We found that as soon as the “PDF” was opened it deleted itself from the system and there seemed no other immediate effects. It wasn’t until a reboot that we noticed that a file named f94a2e3.exe had been added to the windows startup folder and also the appdata/roaming folder.

As a result, this file was executed after the reboot completed and around 30 minutes later we were presented with this in an internet explorer window:


SaleBestseller No. 1
Lenovo IdeaPad 1 14 14.0" Laptop, 14.0" HD (1366 x...
  • This everyday laptop is powered by an Intel...
  • Enjoy videos or browse online on a 14" HD display...


Not the Cryptolocker virus that we all know and love but a copycat version with the same effects.

The virus instructs us to download and install the Tor browser after which it directs us to a site with payment instructions along with a bitcoin address.

And of course, after this time, all user documents on the system have been encrypted and are in-accessible.

Luckily in this case we can just reload the machine and we are good to go. If this was on a live network without backups, the victim would likely have no choice but to pay the ransom of 1.2BTC ($540.00 at the time of writing).