Beware of online bills with ransomware: newly discovered threat has manifested itself in many countries

Just a few days ago we have received a notification from the Spanish electricity company called Endesa, in which we were warned about a new online fraud that infects victims via fake emails. Cyber criminals sent false bills to Spanish users on behalf of the company Endesa, after opening an emails users were attacked by ransomware. Unfortunately, cyber criminals were able to successfully launch their attacks, and even continue them in other countries. Now it is very difficult to estimate the number of people who have received such “fake bills”, and the number of those who became victim of this attacks.


Over the last few days, new target of attacks was found. It was a state electricity company of Poland called PGE. Customers of this company were getting the same emails with fraud invoice and ransomware in attachment. Same as in the Spanish case, the criminals also infect and important and sensitive information which belongs to home and business users, after the infected file is opened, which is supposed to be the invoice for electricity (which becomes too expensive for the user).

What we are facing is the massive frauds that cross national borders and have a very profitable purpose – to force user to pay a ransom in order to return an access to user’s personal files.


In Spain and in Poland, the attack worked identically. Cyber criminals were sending false invoices allegedly on behalf of the known electricity company with an objective to infect naïve user’s computers with Cryptolocker Locky. Although this attack is reached only Spain and Poland, it spreads rapidly and may soon be in any other country in the world. Here are some tips to help to protect yourself against this threat:

  • In all of the previously described cases, user receives an invoice by e-mail and the subject of the letter contains the name of the electricity company, which operates in the country.
  • In both of the countries the email contained a false bill. After analyzing the situation of PGE, we found that the message may appear somewhat muddled with random Polish letters that randomly appear inserted into the text of the letter.
  • When user wants to see the invoice more detailed, he clicks on the button in the email with the text like “See Your Invoice and Consumption”, which is located under the total energy consumption statistics. Afterwards, user will be redirected to the fake website that looks exactly like the official website of the company.
  • On the fake website users are asked to fill in the Captcha field to access the zip-file. People think that they perform safe operation, but in reality, their cyber-security is controlled by a very powerful ransomware.


  • After the user fills the Captcha field, he is proposed to download the .zip file.
  • The .zip archive contains a file with the java-script, and when the user opens it, the script downloads and launches ransomware.
  • Once the malware is executed, all of the user’s personal files will be encrypted by Locky – an aggressive ransomware, which will only decrypt the files after receiving a ransom payment.

Every day, the cyber criminals are learning something new and trying to perform more individual and sharpened to a specific user attacks. They manage to successfully carry out their attacks, using the names of well-known and reliable companies, and as a result people are easily falling into the trap.

One thing is clear: if you are not protected from this type of ransomware, you are risking to lose your personal and corporate files during one of those attacks.

Information added: 06/23/2016 07:53 PM;