PHISHING INDEX
Below are the most common email phishing attempts detected by TG Soft's Anti-Malware Research Center in
February 2023:
26/02/2023 =>
Amazon Code
23/02/2023 =>
Banca SELLA
22/02/2023 =>
Account posta elettronica (Email Account)
20/02/2023 =>
DHL
17/02/2023 =>
Aruba
16/02/2023 =>
BPER Banca
14/02/2023 =>
Lidl
14/02/2023 =>
Q8
10/02/2023 =>
Intesa Sanpaolo
09/02/2023 =>
Webmail
08/02/2023 =>
SexTortion
05/02/2023 =>
Mooney
04/02/2023 =>
Aruba
03/02/2023 =>
Carta YOU
01/02/2023 =>
Sharepoint
01/02/2023 =>
Account posta elettronica (Email Account)
These emails are intended to trick some unfortunate person into providing sensitive data - such as bank account information, credit card codes or personal login credentials - with all the possible easily imaginable consequences.
February 26, 2023 ==> Phishing Amazon CODE
«SUBJECT: <
RE: account in scadenza, conferma l'iscrizione per guadagnare con Amazon >
(RE: account expiring, confirm membership to earn with Amazon)
We examine below the phishing attempt from a fake
Amazon e-mail, aimed to steal the account credentials of the victim.
The message informs the recipient of a fantastic opportunity to earn from home, reserved for a select few people!!! In fact,
Amazon offers the opportunity to invest and earn from home with an account reserved for a select few - including the lucky user - and warns him that the account is about to expire.
"
However, since we have not received a response from you, we can no longer hold it in pending status. To use it before it is assigned to another person, we suggest you to confirm immediately"
It then invites him to confirm his account, in order to be contacted by their expert for details. To proceed, just click on the following link:
CLICCA QUI (Click Here)
Examining the email, we see that the message comes from an email address not referable to the
Amazon's domain <
info(at)couponandomail(dot)ovh>. This is definitely anomalous and should be very suspicious
.
Anyone who unluckily clicks on the link
CLICCA QUI (Click Here) will be redirected to an anomalous WEB page which, as you can see from the side image, is graphically well laid out and could mislead an inexperienced user.
The page to which you are redirected, to enter your mail account credentials, is hosted on an anomalous address/domain, which we report below:
https[:]//www[.]amazoncode[.]info[.]fx-amz-code-long-it?ref=fx-....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginablerisks .
February 23, 2023 ==> Phishing Banca SELLA (SELLA Bank)
«SUBJECT: <
L'applicazione Sella-BANCA, nuovo aggiornamento > (
The Sella-BANK application, new update)
We examine below the phishing attempt from a fake
Banca SELLA e-mail, aimed to steal the credentials of the victim's account.
The message informs the recipient about new updates to the Terms of Service and that therefore, for security reasons, it is necessary to update his information. It then invites him to confirm his information so that his e-mail address or phone number will not be used without his consent. To proceed with the update, he will just click on the following link:
Segui i passi (Follow the steps)
Examining the email, we see that the message is from an email address not referable to the
Banca SELLA's domain <
info22(at)strada-pola(dot)org>. This is definitely anomalous and should be very suspicious.
Anyone who unluckily clicks on the link
Segui i passi (Follow the steps) will be redirected to an anomalous WEB page which, as you can see from the side image, is graphically well laid out and could mislead an inexperienced user.
The page to which you are redirected, to enter your mail account credentials, is hosted on an anomalous address/domain, which we report below:
https[:]//finanziario-sella-anca-on-line[.]shopinas-hero[.]net/H4l7j5dtDh....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated risks easily imaginable.
February 22, 2023 ==> Phishing Account Posta Elettronica (Email Account)
«SUBJECT: <
Your Email: **** will be blocked >
We examine below the phishing attempt that aims to steal the credentials of the victim's e-mail account.
The message, in English, informs the recipient that, due to a security update, it is necessary to update his information. It then invites him to update his information within 48h to continue using the mailbox, via the following link:
VERIFY EMAIL
Examining the email, we notice that the message comes from an email address not traceable to the server that hosts the mailbox <
info(at)crossroadsrox(dot)com>. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link VERIFY EMAIL, will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to steal your most valuable data in order to use them for criminal purposes.
February 20, 2023 ==> Phishing DHL
«SUBJECT
: < IT:EU-GB zone "Central", UnPAID DUTY>
The following is a new phishing attempt of this month, hiding behind a false communication from the
DHL's service, regarding the delivery of an alleged package.
The message notifies the unsuspecting recipient that "the item owned by you has arrived at our office. However, we found that the sender did not pay the taxes for customs clearance. Therefore, the item was detained by
DHL's customs handling team." We see that the email is graphically well laid out. In fact, to make the message more trustworthy, the
DHL logo was introduced. These messages are more and more used to perpetrate scams against consumers, who increasingly use e-commerce for their purchases.
The message then invites the user to pay customs clearance fees, otherwise the item will be returned to the sender. To schedule the delivery, it is necessary to click on the following link:
Rilascio della spedizione (Shipment release) ( (8(
The alert email comes from an email address that has nothing to do with DHL's domain <tesoreriasanjuan(at)aacop(dot)org(dot)ar> . In fact it is definitely anomalous, and should, at the very least, make us suspicious.
Anyone who unluckily clicks on the link will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use them for criminal purposes.
February 16, 2023 ==> Phishing BPER Banca (Bank)
«SUBJECT: <
Aggiornamento di questa informativa sulla protezione dei dati!>
(Update this data protection policy!)
This new phishing attempt comes as a fake e-mail from
BPER Banca.
The message notifies the unsuspecting recipient that the new update to the application of BPER Banca, is available. Then invites him to update the application for more security, to protect online banking transactions, through the following link:
Mein Konto
The alert message comes from an email address <alan20(at)raja-foot(dot)net> unrelated to the BPER Banca's domain and contains very generic text, although the cybercriminal had the graphic foresight to include the BPER Banca logo, that might mislead an unexperienced user.
The purpose is to get the recipient to click on the link Mein Konto which, we would like to point out, redirect to a page that has nothing to do with the site of BPER Banca, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use them for criminal purposes.
February 14, 2023 ==> Phishing LIDL
SUBJECT: <
...Hai vinto un Ninja Air Fryer >
(You won a Ninja Air Fryer)
Below is a phishing attempt, hiding behind a fake communication from
LIDL, that brags about a chance to win a new
Ninja Air Fryer.
The message, which we quote on the side, is graphically well laid out, and looks like a must-have offer. The lucky user was selected on the supermarket chain's anniversary, to win the fantastic prize by participating in a survey.
"You have been chosen to participate in our Loyalty Program for FREE! It will only take you a minute to receive this fantastic prize."
Examining the email, we notice that the message comes from a suspicious email address <
el_rhazrafi.ihs.fst(at)uhp(dot)ac(dot)ma>. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who clicks
Fai clic per iniziare (
Click to start) will be redirected to a web page, where you are asked to participate in a short survey to win the prize, a fantastic Ninja Air Fryer.
From the screenshot shown, the site appears to be traceable to
LIDL, but we can see that the page is hosted on an anomalous address/domain, which we report below:
https[:]//samplemirrors[.]com/f39bd10421cf1d...
Clicking on
INIZIA IL SONDAGGIO,
(START THE SURVEY) you are redirected to the next screens, where you are asked to answer 8 questions. Below are some of them ...
At the end of the survey, we finally get to a new screen that makes us select our prize, throughs the information provided as a consumer experience. The prize is the Ninja Air Frayer fryer (worth
Euro 1126.39) that, for the lucky winners, is for free!!! In fact, all they need to do, is to enter their shipping address and pay the shipping cost and, in 5-7 business days, the prize will be delivered....
Then you are sent to a further page, as shown in the image below, to enter your shipping address and pay the shipping charges.
Surely if so many users have been lucky why not try your luck? In any case, the amount required is really small....
Instead, the aim of cyber criminals, is just to induce the user to enter his sensitive data and credit card details that are requested for payment!
The page to which you are redirected, to enter your personal data, is hosted on an anomalous address/domain, which we report below:
https[:]//shoppersadres[.]net/c/dRBLA3b?s1=1020b211ea...
In conclusion, we always urge you to be wary of advertising/promotional messaging that brag about "giving away" valuables, and avoid clicking on suspicious links that could lead to a counterfeit site, placing your most valuable data in the hands of cyber crooks
.
14 Febbraio 2023 ==> Phishing Q8
SUBJECT: <
Sfida il caro benzina e la sorte: puoi vincere 200€>
(Challenge the high cost of gasoline and fate: you can win €200)
We find again this month, the following phishing attempt, that pretends to be a communication from
Q8.
The message is very impactful as it deals with a very current issue that weighs on the pockets of all Italians: the rising prices of fuel "
Challenge the high price of gasoline and fate."
The message leverages the chance to win a fuel voucher worth €200 by participating in the lucky draw, through the following link:
PARTECIPA ORA (JOIN NOW)
First, we realize that the alert email comes from an email address <
news(at)news.(dot)all29con99(dot)com> clearly not from the official domain of
Q8.
Anyone who unluckily clicks on the link will
PARTECIPA ORA (JOIN NOW) will be redirected to an anomalous WEB page, which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use them for criminal purposes.
February 10, 2023 ==> Phishing Intesa Sanpaolo
«SUBJECT: <
Sicurezza del cliente - Attiva il nuovo sistema di sicurezza>
(Client security - Activate the new security system)
We find again this month the same phishing campaign as in January, coming from a fake e-mail simulating a message from
Intesa Sanpaolo.
The message notifies the unsuspecting recipient that, as of February 12, 2023, he will no longer be able to use his Intesa Sanpaolo card unless he activates the new web security system, which provides greater security and reliability to transactions. It then invites him to activate the new security system. The procedure is simple and takes only 3 minutes, through the following link:
Clicca qui (Click here)
We can see right away that the alert message comes from an email address - <webmaster(at)vps89556(dot)inmotionhosting(dot)com> - unrelated to the Intesa Sanpaolo domain and contains very generic text, although the cybercriminal had the graphic foresight to include the well-known Intesa Sanpaolo logo, that could mislead the user.
The purpose is to induce the recipient to click on the link Clicca qui (Click here) which, we would like to point out, redirects to a page that has nothing to do with the Intesa Sanpaolo website, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use them for criminal purposes.
February 09, 2023==> Phishing Account Posta Elettronica (Emal Account)
«SUBJECT:<
Storage Mail Notice >
We examine below the phishing attempt that aims to steal the credentials of the victim's e-mail account.
The message, in English, informs the recipient that he has reached the storage space limit of his mailbox, whose address is given. It then invites him to increase the storage space by proceeding to purchase, through the following link:
Increase Storage Limit
Examining the email, we notice that the message comes from an email address not traceable to the server that hosts the mailbox <
sales(at)t-skype(dot)life>. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks
Increase Storage Limit will be redirected to an anomalous WEB page which, as you can see from the side image, has nothing to do with the e-mail account manager.
The page to which you are redirected, to enter your mail account credentials, is hosted on an abnormal address/domain, which we show below:
https[:]//s3[.]amazonaws[.]com/appforest_uf/f167583....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated risks easily imaginable.
February 08, 2023 ==> SexTortion
The SexTortion-themed SCAM campaign persists. The e-mail suggests that the scammer gained access to the victim's device, thus used to collect data and personal videos. He then blackmailed the user by demanding payment of a sum of money, in the form of Bitcoin, not to spread among his email and social contacts, a private video of him viewing adult sites.
The following is an extract from the text of the email on the side:
" Your system has been hacked. All the data from your device was copied to our servers. We also recorded a video from your room on which you are watching a porn movie. My virus infected your device through an adult website you recently visited. If you do not know how it works, I will share the details. The Trojan virus gives me full access and control over the device you are using. As a result, I can see the entire screen, turn on the camera and the microphone, and you will never know. I have captured a video from your screen and the device's camera and edited a video in which one part of the screen shows how you are masturbating and other part shows a pornographic video that was opened by you at that time. I can see the whole list of your contacts from the phone and all the social networks. I can send this video to all your phone, email and social networks contacts with one click. Besides, I can send to all the data from your email and messengers. That is, I can destroy your reputation forever."
Then you are asked to send 1200 USD in Bitcoin to the wallet below:"bcXXXXXXXXXXXXXXXXXXXXXX62g'. After receiving the transaction all data will be deleted, otherwise a video depicting the user, will be sent to all colleagues, friends and relatives. The victim has 50 hours to make the payment!
Examining the payments made on the wallet indicated by the cyber criminal as of 02/14/2023, there seem to be no transactions.
In such cases we always urge you:
- not to answer these kinds of e-mails and not to open attachments or click lines containing unsafe links, and certainly NOT to send any money. You can safely ignore or delete them
- If the criminal reports an actual password used by the user - the technique is to exploit passwords from public Leaks (compromised data theft) of official sites that have occurred in the past (e.g., LinkedIn, Yahoo, etc.) - it is advisable to change it and enable two-factor authentication on that service.
05 Febbraio 2023 ==> Phishing Mooney
«SUBJECT:<
Aggiornameto obbligatorio >
(Mandatory update)
Again this month we find the following phishing attempt coming from a false communication from
Mooney, the Italian Proximity Banking & Payments company.
The message informs the recipient that his account is suspended, due to a failed update.
It then invites him to resolve the problem by updating his account, via the following link:
Aggiornare (Update)
This time the phishing campaign simulates a communication from the Italian online payment company
Mooney, which is clearly unrelated to the mass sending of these emails. These are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
Examining the text of the message, in addition to the Logo of the company - to further mislead - there is also the email address of the sender that disguises the original one. However it is a specially created label <
noreply(at)mooney(dot)it> . Let's always pay close attention before clicking on suspicious links.
Anyone who unluckily clicks
Aggiornare (Update) will be redirected to an anomalous WEB page, which has nothing to do with the official site of
Mooney, but which has already been reported as a DECEPTIVE PAGE/ WEBSITE. In fact it is run by cyber-criminals whose goal is to get hold of your most valuable data in order to use them for criminal purposes.
February 04 and 17, 2023 ==> Phishing Aruba - Rinnovo automatico (Automatic renewal)
Below we report 2 phishing attempts that simulate messages from
Aruba.
EXAMPLE 1
«Avviso-Di-Rinnovo» (Notice-of-Renewal)
EXAMPLE 2
«PROMEMORIA: Dominio **** con account di posta in scadenza» (REMINDER: **** domain with expiring email account)
In the 2 examples above, which are very similar, the customer is notified that his domain on
Aruba is about to expire, and then invites him to renew it before expiration.
In both cases, the purpose is to induce the user to click on the link in the email:
RINNOVA IL DOMINIO (RENEW THE DOMAIN).
Clearly, the well-known web hosting, e-mail and domain registration services company Aruba, is unrelated to the mass sending of these e-mails, which are real scams whose goal remains, as always, to steal sensitive data of the unsuspecting recipient.
To detect these phishing attempts, it is first of all necessary to examine the sender's e-mail address, which, as we can see in the 2 reported cases (<
staff-aruba(at)online(dot)it> and <
noreply(at)tamejida(dot)org>) do not come from
Aruba's official domain.
Very often these messages are poorly written emails that contain spelling errors or renewal requests for services that are not expiring, or for security updates, as they leverage urgency to get the user to click.
It's also important to examine the links or attachments that these messages contain, which usually redirect to a counterfeit website asking to enter your personal information (such as account username and password, or credit card number to make account renewals). If this data are entered, will be used by cyber criminals for criminal purposes.
February 03, 2023 ==> Phishing Carta YOU (YOU card)
«SUBJECT: <
Un regalo a sorpresa per te! - La tua Carta YOU senza commissioni>
(A surprise gift for you! - Your YOU Card with no fees)
This new phishing attempt pretends to be an e-mail from
Carta YOU, which gives the opportunity to apply for a new card without any fees.
Examining the email, we see that the message is graphically well laid out, and actually seems to give the lucky recipient the opportunity to apply for his
Carta YOU, by clicking on the following link:
Richiedila qui (Request it here)
To detect these phishing attempts, it is first necessary to examine the sender's e-mail address, which turns out to be very suspicious and not at all referable to Carta YOU <contacto(at)tapas-facil(dot)com>.
Anyone who unluckily clicks
Richiedila qui (Request it here) will be redirected to an anomalous, graphically deceptive ,WEB page.
Then, you are asked for your personal data in order to receive your new credit card. The data entry form is hosted on an anomalous address/domain, which we report below:
https[:]//www[.]cartayou[.]it/?channel=newsletter&partnerID=....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .
February 01, 2023 ==> Phishing Sharepoint
«SUBJECT: <
You have received Incoming fax Documents via Sharepoint>
This new phishing attempt pretends to be an e-mail from
Sharepoint, the web app that allows sharing and collaboration via shared access.
The message, in English, informs the recipient that 2 new messages are available, and that he has received 3 faxed documents, related to an alleged order. The link to download the files is then given:
Preview
Examining the email, we realize that the message, marked by the concise and essential textual layout, seems to come from an email address that is very suspicious and not at all referable to Sharepoint:<secured_file27788(at)**** >.
Anyone who unluckily clicks
Preview will be redirected to an abnormal WEB page, where you are requested to enter your mail account credentials, hosted on an abnormal address/domain, which we report below:
https[:]//s3[.]amazonaws[.]com/appforest_uf/....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .
February 01, 2023==> Phishing Account Posta Elettronica (Email Account)
«SUBJECT:<
Errore posta in arriνo. >
(Incoming mail error)
We examine below the phishing attempt that aims to steal the credentials of the victim's e-mail account.
The communnication informs the recipient that some messages are pending, due to an error in the IMAP/POP configuration of his mailbox, that is reported. It then invites him to correct the error and download the pending messages in order not to lose them, via the following link:
CLICCA QUI (Click here)
Examining the email, we notice that the message comes from an email address not referable to the server that hosts the mailbox <
swarn(dot)bista(at)shauryacements(dot)com>. This is definitely anomalous and should, at the very least, make us suspicious.
Anyone who unluckily clicks
CLICCA QUI (Click here) will be redirected to an anomalous WEB page which, as you can see from the image on the side, has nothing to do with the e-mail account manager.
The page to which you are redirected, to enter your mail account credentials, is hosted on an abnormal address/domain, which we show below:
https[:]//dp2ygm3vt4fowsdknzzvmzvor3sp4y6ksa4c3rfjdscuavcry-ipfs-w3s-link[.]translate[.]goog....
We always urge you to be careful and not to enter your personal data and/or passwords on forms hosted on counterfeit web pages, as they will be sent to a remote server and used by cyber crooks with all the associated easily imaginable risks .
A little bit of attention and glance, can save a lot of hassle and headaches....
We urge you NOT to be fooled by these types of e-mails, which, even though they use familiar and not particularly sophisticated approach techniques, if there is a resurgence, with reasonable likelihood more than a few unfortunates will be fooled.
We invite you to check the following information on Phishing techniques for more details:
02/01/2023 15:28
- Phishing: the most common credential and/or data theft attempts in January 2023...
02/12/2022 15:04
- Phishing: the most common credential and/or data theft attempts in December 2022....
04/11/2022 17:27 - Phishing: the most common credential and/or data theft attempts in November 2022....
05/10/2022 11:55 - Phishing: the most common credential and/or data theft attempts in October 2022...
06/09/2022 15:58 - Phishing: the most common credential and/or data theft attempts in September2022....
04/08/2022 16:39 - Phishing: the most common credential and/or data theft attempts in August 2022...
06/07/2022 12:39 - Phishing: the most common credential and/or data theft attempts in July 2022..
06/06/2022 14:30 - Phishing: the most common credential and/or data theft attempts in June 2022..
02/05/2022 11:06 - Phishing: the most common credential and/or data theft attempts in May2022....
06/04/2022 16:51 - Phishing: the most common credential and/or data theft attempts in April 2022...
08/03/2022 17:08 - Phishing: the most common credential and/or data theft attempts in March 2022..
03/02/2022 16:25 - Phishing: the most common credential and/or data theft attempts in February 2022...
Try Vir.IT eXplorer Lite
If you are not yet using Vir.IT eXplorer PRO, it is advisable to install Vir.IT eXplorer Lite -FREE Edition- to supplement the antivirus in use to increase the security of your computers, PCs and SERVERS.
Vir.IT eXplorer Lite has the following special features:
- freely usable in both private and corporate environments with Engine+Signature updates without time limitation;
- fully interoperable with other AntiVirus software and/or Internet Security products (both free and commercial) already installed on your computer. It doesn't need any uninstallation and it doesn't cause slowdowns, as some features have been appropriately reduced to ensure interoperability with the AntiVirus software already on your PC/Server. This, however, allows cross-checking through the scan
- It dentifies and, in many cases, even removes most of the viruses/malware actually circulating or, alternatively, allows them to be sent to the C.R.A.M. Anti-Malware Research Center for further analysis to update Vir.It eXplorer PRO;
- through Intrusion Detection technology, also made available in the Lite version of Vir.IT eXplorer, the software is able to report any new-generation viruses/malware that have set in automatically and send the reported files to TG Soft's C.R.A.M
- proceed to download Vir.IT eXplorer Lite from the official distribution page of TG Soft's website.
VirIT Mobile Security AntiMalware ITALIAN for ALL Android DevicesTM
VirIT Mobile Security, the Italian Anti-Malware software that protects Android™ smartphones and tablets, from Malware intrusions and other unwanted threats and empowers the user to safeguard their privacy with an advanced heuristic approach (Permission Analyzer).
TG Soft makes VirIT Mobile Security available for free by accessing the Google Play Store market (https://play.google.com/store/apps/details?id=it.tgsoft.virit) where you can download the Lite version, which can be freely used in both private and business settings
You can upgrade to the PRO version by purchasing it directly from our website https://www.tgsoft.it/italy/ordine_step_1.asp
Acknowledgements
TG Soft's Anti-Malware Research Center would like to thank all users, customers, reseller technicians, and all people who have transmitted/reported material attributable to Phishing activities to our Research Center that allowed us to make this information as complete as possible.
How to send suspicious emails for analysis as possible phishing but also virus/malware or Crypto-Malware
You can submit materials to TG Soft's Anti-Malware Research Center safely and free of charge in two ways:
- Any suspect email can be sent directly by the recipient's e-mail, to the following mail lite@virit.com,choosing as sending mode "Forward as Attachment" and inserting in the subject section "Possible phishing page to verify" rather than "Possible Malware to verify";
- Save the e-mail to be sent to TG Soft's C.R.A.M. for analysis as an external file to the e-mail program used. The resulting file must be sent by uploading it from the page Send Suspicious Files (http://www.tgsoft.it/italy/file_sospetti.asp). Obviously if you want a feedback on the analysis of the data submitted, you have to indicate an e-mail address and a brief description of the reason for the submission (for example: possiible / probable phishing; possible / probable malware or other).
For more details on how to safely forward suspicious e-mails, we invite you to consult the following public page: How to send suspicious emails for analysis
We provide all this information to help you prevent credential theft, viruses/malware or, even worse, next-generation Ransomware / Crypto-Malware.
TG Soft's C.R.A.M. (Anti-Malware Research Center)