Malicious Email Campaign Targeting Craigslist Job Ads to Spread Sigma Ransomware

Emails masquerading as responses to temporary job postings on Craigslist are attempting to deliver the Sigma Ransomware to unsuspecting victims. These emails contain a password-protected Word or RTF document that the sender claims is a resume. The body of the message references a job posting and provides a password that can be used to view the attached file. Recipients who open the attachment and enter the password will be prompted to enable macros on the document. If macros are enabled, Sigma Ransomware will download and install on the machine via an embedded VBA script. 

The NJCCIC strongly recommends users avoid enabling macros on any document unless they are aware of a specific reason why the document requires macros to run. Although we usually also recommend email users avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails, this campaign specifically targets people who are soliciting emails from unknown job applicants. For these users, we recommend scanning all incoming file attachments such as resumes using a reputable antivirus software solution prior to opening. Additionally, be wary of any attachment that requires a password to open or view.