Double Trouble As Campaign With Two Ransomware Becomes Global
Ransomware is the most dreaded of all malware; everyone dreads getting infected with ransomware. So just imagine how it would be to get doubly infected, with ransomware…
There have been many online email spam campaigns endeavoring to distribute ransomware, but a recent campaign, detected this month, has added a new twist to the story. The people behind the campaign has tried something different- rotating the ransomware payload and distributing two ransomware at one go. Thus the spam email that hits a system comes with a payload that can be swapped; it would deliver one ransomware first then, the very next hour, it would deliver another ransomware. The ransomware that are delivered through this campaign are Locky and FakeGlobe.
ZDNet reports- “While a widespread email spam campaign with the intention of distributing ransomware isn’t anything new, those behind a scheme detected during September have added a twist to this tried and testing technique: rotating the ransomware payload…The two forms of ransomware distributed by this scheme are Locky – which has recently seen something of resurgence – and FakeGlobe, which first appeared in June. Those behind the campaign have designed it so the payload can be swapped, meaning the spam email might deliver Locky one hour then FakeGlobe the next.”
It was cyber security researchers at Trend Micro who brought to light the campaign that eventually leads to re-infection, for many victims. A blog post authored by Julie Cabuhat, Michael Casayuran and Anthony Melgarejo of Trend Micro says- “The cybercriminals behind the campaign designed it so that clicking on a link from the spam email might deliver Locky one hour, and then FakeGlobe the next. This makes re-infection a distinct possibility, as victims infected with one ransomware are still vulnerable to the next one in the rotation.”
Experts point out that though earlier attackers would pair ransomware with the likes of Trojans, bringing together two ransomware is uncommon. This kind of a development could complicate things. Victims, on being re-infected, would either have to pay twice or get ready to lose their data permanently.
This campaign, which brought together the Locky ransomware and FakeGlobe ransomware, was executed by sending out phishing emails, disguised as bills and online invoices, to hundreds of thousands of unsuspecting victims, luring them into clicking on the link. When clicked, the link, which contains a zip file, would open and run a script. The script would connect to a URL that would lead to the downloading of the ransomware payload.
Security analysts have understood that since the payload here changes every few hours, it complicates things. One computer in a network would get infected and maybe give in to the demand made for ransom. Very soon, maybe in a few hours, someone else on the same network could fall victim to the other ransomware.
There is still a great amount of vagueness as regards the number of victims, but experts feel that this campaign could have infected users in over 70 countries worldwide, including the US, China, Japan and Germany.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.