Spear Phishing Pacman cryptolocker campaign: Targets chiropractors environments

The CSIS Denmark security company has provided information about a new malware campaign which is targeting Chiropractors. The CSIS company discovered the Pacman malware when they analyzed a spear-phishing email which was sent to a Chiropractor. The Spear-phishing email claims that it has a message about a “patient” and that the chiropractor has to read the message via DropBox.

The CSIS picture of the spear phishing  PACMAN campaign
The CSIS picture of the spear phishing PACMAN campaign

The forged spear-phishing email contains a malformed link which claims to redirect the user to a Dropbox image file.


The CSIS report states that once the payload has been downloaded and executed, that the victim will get an “Ransomware” screen. The Ransomware screen demands the user to pay a specific amount of money to get the files back. If the victim declines this demand, then the ransomware will delete all the locked files on the infected computer. The CSIS report explains that the Pacman Phishing campaign malware holds ransomware capabilities and keylogging capabilities.

Pacman Ransomware screen [Picture by CSIS]
Pacman Ransomware screen [Picture by CSIS]

The text which is showed with the Ransomware screen

Your files have been encrypted! And your computer locked!

Countdown 23:59:58 to descruction

All your documents, photos, databases and other important files have been encrypted with a strong, random and unique key, generated just for this computer.

If the timer runs out (00:00:00) you will lose all chances of ever restoring your files!

It is impossible to decrypt your files without the correct key! Trying to do so anyways wil result in dataloss, meaning that you will lose all your files! Only this program can decrypt your files again, if you pay!

Warning! Do not try to get rid of this program yourself! Any action taken will result in the decryption key being destroyed! The only way to keep all your files and decrypt them, is to pay and let this program decrypt and restore your files again.

For Security Researchers

The CSIS report posted some unique values which you can use to analyse the Pacman spear phishing attack. They also provided a sample to the VirusTotal environment. You can find the VirusTotal report on the Pacman Spear Phishing malware attack here.

Sanitized by CSIS (C&C servers):

  • hxxp://myplacehome[.]comuv.com/crypted.php
  • hxxp://myplacehome[.]comuv.com/locked.php

Pacman kills the following processes:

  • taskmgr
  • cmd
  • regedit
  • msconfig
  • sdclt
  • rstrui
  • powershell


For Private users

Malware is very annoying, and it reaches it top point of annoyment when it is active on a infected device. You can protect yourself against these types of attacks by using the latest anti-virus solutions and internet protection suites. If you get a message from a user which you do not trust, then make sure that you verify the user.

You can verify the user in various ways:

  • Run a check on the email domain by using the MXTOOLBOX and VIRUSTOTAL tools.
  • Ask your manager or friends to verify if the email is genuine.
  • Check for malicious links.
  • Upload the attachment to the VirusTotal website. Make sure that you DO NOT execute the attachment.
  • Visit your Dropbox environment via the official DropBox domain and not via an link which has been send to you.
Share this info: