top of page

Ransomware files discovered in fake TripAdvisor emails

Researchers have discovered suspicious complaint emails purporting to be from TripAdvsor containing malicious excel files designed to steal and encrypt users’ data.

Cyclops ransomware gang designed a Go-based information stealer to capture sensitive information from victims, including files with .JPG, .JPEG, .PDF, .TXT and .DOC extensions. The ransomware is also capable of disabling any processes which may interfere with its encryption activities.

In July, Cyclops rebranded as Knight, and improved its “lite encryptor” service. They also launched a new data leak site, though there are no victims or stolen files listed on there yet.

In an interesting move, a Sophos researcher has noticed that emails appearing to be TripAdvisor complaints contain the Knight ransomware inside downloadable files. The emails contain a .ZIP file attachment including a virus-laden html attachment.

The html file uses a Browser-in-the Middle phishing technique to open what appears to be a legitimate TripAdvisor browser window containing the complaint. The window requires the user to click on a button labelled “Read Complaint”. However, instead of taking the user to the complaint, the button downloads an Excel XLL file containing the malware which executes on the device once opened.

Microsoft Excel can detect Mark-of-the-Web (MotW) flags within excel files (a layer of protection of files confirming they originate where they claim to be from) and block them from automatically opening.

However, if the MotW cannot be detected, Excel prompts the user to either enable the add-ins or keep them disabled.

If the user chooses to enable the add-ins, the malicious file will execute and begin encrypting files on the device. Once encrypted, the files are given the extension .knight_l.

Additionally of interest in the tactics employed in this campaign is the ransom request. Among the encrypted files is a .txt file explaining how victims can restore their files by sending £5,000 to a bitcoin address.

However, all the examples of the ransom notes contain the same bitcoin address making it impossible for the threat actor to know who has paid the ransom.

This strengthens the advice from cyber security professionals and the police to not pay a ransom in return for decryption, as it is unlikely they have any intentions of releasing the encrypted files.

Also, with no proof of payment, others can claim your payment as theirs, again suggesting there will be no decryption for your files

To learn more about malicious emails and texts, and to get your staff up-to-speed with the latest threats to your business, talk to us about Security Awareness Training. Your staff can be the first barriers against a cyber attack.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page