If you post ads on Craigslist for short term employment, be aware that there's a new malspam campaign that aims to distribute Sigma ransomware on the computers of unwary users. Meeting stones wow.
By all outward appearances, the emails seem to come from Craigslist in response to ads posted in Craigslist's 'Gigs' section for short term employment. The emails will generally express interest in whatever job the user has posted and include a protected Word or RTF document which recipients will assume are resumes.
Decrypt Craigslist Email Address
Automatic Email Security. We use end-to-end encryption and zero access encryption to secure emails. This means even we cannot decrypt and read your emails. As a result, your encrypted emails cannot be shared with third parties. Too often when I try to email someone via their craigslist post they will receive an encrypted or garbled up message. If they reply to my email (usually with 'huh?' ) I can see my original message to them looking like it got encrypted or something. My sent message is clear, and if I cc myself it will usually also return clear.
If the recipient enters the password to unlock the document, they'll then be presented with a screen that asks them to enable the content in the document. Unfortunately, this is the step that dooms the user. The file isn't a resume at all, but merely a delivery vehicle.
Decrypt File Tool
As soon as the content is enabled, the ransomware will be installed, the user's files will be encrypted, and then will 'helpfully' post a message explaining that the files have been encrypted, and explaining that to get access to them again, they'll have to pay a $400 fee, which rises to $800 if the user waits longer than seven days to request the decryption key.
Unfortunately, there's no known way to decrypt Sigma-encrypted files other than paying the ransom.
This is a new twist on a very old game. Even worse, it's enjoying a relatively high success rate because people who post ads for short term employment on Craigslist expect to get responses from people they don't know. They expect that those people will be sending resumes for review.
The 'tell' is that when a potential employee sends you a resume, it's almost certainly not going to be password protected. In this case, your best bet would be to reply to the sending and ask them to send you a non-protected resume if they're genuinely interested in the job.