Fake notice of arrival from Posti: ransomware disguised as a waybill

The NCSC-FI at FICORA has received several reports of scam emails claiming to be from Posti. These emails are used to spread ransomware encrypting the user's files. If you have received such scam email, do not click any link in the email.

The scam email written in poor Finnish claims that a parcel delivery has failed. The email urges the recipient to download and print a delivery waybill by clicking a link. The subject of the email is in Norwegian "Faktura Fra Telenor Norge AS, Mobil [numbers]". The emails have been sent with forged sender details from posti.org.

Target group of the alert

All users of online services

Possible solutions and restrictive measures

  • Do not open any links in scam emails.
  • The fake waybill on the scam website should not be downloaded or opened.
  • If you have opened the “waybill", and as a result, been affected by the ransomware, do not pay the ransoms. Instead, report the case to the police.
  • It is recommended to update your backups regularly in order to be able to recover any files encrypted by the ransomware.

Further information

Information security now! Kiristyshaittaohjelmaa levitetään Postin nimissä (16 February 2017) (in Finnish)

FICORA has published instructions and articles on ransomware. Read more (in Finnish):

Selviytymisopas kiristyshaittaohjelmia vastaan (005/2016 J) (in Finnish)

Update history

Key words: Information security , Internet , CERT , Cyber security , NCSC-FI , Ransomware , Alerts

LinkedIn Print


The Finnish Communications Regulatory Authority (FICORA)

The National Cyber Security Centre Finland (NCSC-FI)

Itämerenkatu 3 A

P.O. Box 313


Media contacts by telephone +358 295 390 248