VERY IMPORTANT

We were notified of a new ransomware version last night. This new version comes as an email attachment which is a zip inside a zip before extracting to a .js file in a fake Delivery Status Notification, failed to deliver email bounce message. The .js file in the email attachment is a PowerShell script and there are no other files involved. Nothing new is downloaded. When the files are encrypted they DO NOT change file name or extensions and appear “normal” to the victim until you try to open them. This is the same behaviour we have been seeing with the recent UPS failed to deliver nemucod ransomware versions