Hello, I wanted to share my today's experience with the community. I work as an IT consultant for SMB and keep very good and close relationship with my clients with lots of education about data protection.
I got a call from a friend who got a computer infected with Crypz ransomware, demanding a ransom. After consulting a client he decided to make a payment (1.2 BTC) in the effort to get his files back.
We decided to send a .docx file for a test decription and that's when strange things started to happen.
I downloaded the decrypted file with a .html extension (?) and sent it to a dummy e-mail account, then used a freshly formatted PC who never connected to the internet until now, downloaded a .html file, and disconnected from the internet.
Renamed the file to .docx, opened it in MS Word (Macros disabled), and file looked ok with content as expected.
Now, approx 1 minute after we reconnected this PC to the internet, it got infected with Cerber ransomware. I repeat, this PC never connected to the internet before the file download, nor I did visit any site besides the mail service. It didn't make any damage, however this was the first time I experienced behaviour like this.
I tried to figure out how it happened, gonna test it (same conditions) again later today. I am wondering what would/could happen even if the client still goes for the decryption tool option.
Any thoughts from you, guys?