New spam campaign distributes two ransomware variants

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A new spam campaign has recently been seen distributing the Locky and FakeGlobe ransomware to unsuspecting victims, enabling the possibility that those who get infected might have to pay to decrypt their files not just once, but twice.

Discovered by researchers over at Trend Micro, the cybercriminals behind the initiative designed the two crypto-malware to rotate while distributing so that clicking on a link from a spam email might deliver Locky in the first hour, and FakeGlobe by the next. This makes victims infected with one ransomware still vulnerable to another attack.

The emails were found to have a .7z file attached, which is disguised as a legitimate invoice. This, as usual, will trigger the malicious code onto the host computer when opened. The researchers further found that the payload changes every few hours. As ZDNet explains, this means that one computer on a network can become infected with ransomware, with the user giving in to the demand, while another can unknowingly fall to the other malware after a few hours.


Locky ransomware | via AppRiver
The campaign has affected users in China, Japan, US, and 70 other countries. The messages were sent during work hours when users are more likely to check their email. Lastly, Trend Micro found that the senders of the malicious message were mostly from India, Vietnam, and Iran.

It's not new that cybercrooks tend to bundle two malicious software in one attack. Ransomware can be combined with information-stealing code that can be used to further threaten the victim. However, with the consideration that rotating malware that can encrypt your system twice is now a reality, it pays to be careful of the attachments we download online. This is the usual attack vector of cybercriminals, and proven to be an effective one as well. Employing a good security solution can also help in protecting our computers from malicious software that can compromise our security.
 
5

509322

so in a zip file there is exe right?

If it is the same one I saw earlier today, then it is a .vbs file.

Also, if you pay the ransom the key provided will not decrypt the files (they are sending the same key to everyone whose files have been encrypted).
 

Itachi Sempai

Level 2
Verified
Sep 20, 2017
93
If it is the same one I saw earlier today, then it is a .vbs file.

Also, if you pay the ransom the key provided will not decrypt the files (they are sending the same key to everyone whose files have been encrypted).
ok... i hope i wont have to pay anything
 
5

509322

ok... i hope i wont have to pay anything

As a matter of principle, don't ever pay a ransom. Paying the ransom doesn't guarantee that you will be able to decrypt files. Organizations have paid huge ransom fees and the provided decryption keys didn't work or the decryption process went terribly wrong. No files or only some files recovered and out a boat-load of cash.
 
5

509322

If people wouldn't pay the ransom, then the disgusting little thieves wouldn't bother. The little thieves understand human nature very well - and that is why ransomware is so profitable for them.

Easy, extremely reliable file backup is free... and it only takes minutes to install it, then set it, and forget it.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top