Ransomware Distributed as Email from the IRS

Jordan Kadlec


Photo courtesy of BleepingComputer. 

A new strain of ransomware is making tax season more stressful than it already is. Dubbed Rapid Ransomware, the malware is being spread via email attachments coming from what appears to be the Internal Revenue Service (IRS). However, if you are even somewhat informed about the dangers of opening email attachments from unknown senders, this ransomware shouldn’t be hard to detect.

Rapid Ransomware

Rapid Ransomware (Rapid) is nothing special in terms of ransomware variants. It’s distributed via email which is the most common form of attack vectors for cybercriminals. Unlike many other ransomware infections, however, this ransomware will configure itself to start every time you login to the computer. By setting itself to start on login, it allows the ransomware to encrypt news files as they are made. Furthermore, the email contains an attachment that, when opened, deploys the encryption process that makes ransomware so dangerous. As Rapid is so new to the ransomware scene, there is currently no way to decrypt your files without paying the ransom.

How to detect Rapid Ransomware

First off, it’s extremely important to know that the IRS will never contact you via email, text message, or social media channels. The most common form of communication from the IRS is through physical mail. It is also imperative to note who the email is coming from. As we know, the IRS is an entity based in the United States, however, the message is coming from an email address ending in gov.uk.

Next, all the messages we have seen are titled “Please Note – IRS Urgent Message-164.” The body of the message claims that you have unpaid property taxes which, if you own property, can be very convincing. If you receive this email, delete it immediately.

While opening the actual message will not deploy the ransomware, you don’t want to take that chance. The attachment included in the email is another way to tell that it’s not actually the IRS contacting you. Upon opening the attachment, the message containing information on what has just happened and how to gain the decryption key is in German. So, the cybercriminals want you to believe that the IRS is contacting you from an email address from the UK, and you should also know how to read German if you’re going to fix your property tax situation.


Photo courtsey of BleepingComputer

Tax Season Ransomware Campaigns

While this is not the first and certainly not the last time we will see a ransomware campaign occur during tax season, this one could have been a lot more dangerous if the hackers would have put a bit more work into it. We have all heard about the new tax reform that the government recently put into place that could affect deductions we can take. This could easily prompt someone to open this email as well as the attachment to potentially learn more about the reform. However, if you are diligent when opening emails from unknown senders, Rapid Ransomware shouldn’t be an issue for those of us who are informed about issues such as these.

Once again, remember the IRS will never contact you via email, text message, or social media campaigns. If you receive an email from someone claiming to be the IRS, delete it immediately. Otherwise, your tax return could end up going straight to paying for the decryption key.

Share this: