Attacks/Breaches

9/19/2017
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

New Spam Campaign Literally Doubles Down on Ransomware

An upgraded spam campaign alternates Locky and FakeGlobe ransomware, forcing victims to pay twice or lose all their data.

Cybercriminals have launched an upgraded spam campaign pushing both Locky and FakeGlobe ransomware variants in an apparent attempt to overwhelm their victims.

Back in September, Trend Micro researchers discovered a large spam campaign distributing the newest version of Locky ransomware. Since it first appeared in early 2016, Locky has evolved and spread through several distribution methods, specifically spam emails. Attackers have used increasingly sophisticated means to hit users with Locky in more than 70 countries.

They recently found Locky has been combined with FakeGlobe in a single campaign designed to rotate the two. Victims who click a link embedded in a spam email could be hit with Locky one hour, and then FakeGlobe the next. This campaign format heightens the possibility of reinfection, as targets hit with Locky remain vulnerable to FakeGlobe in the rotation.

These emails include a link and attachment disguised as bills or invoices to the user. The script in the attachment is similar to the one inside the archive downloaded from the link, but the two contain different binaries and connect to different URLs for downloads. One downloads a variant of Locky; the other downloads FakeGlobe, or "Globe Imposter," ransomware.

With Locky and FakeGlobe pushed alternately, victims' files can be re-encrypted with a different form of ransomware. This means targets will have to pay twice or permanently lose their data, a tactic their attackers are hoping will scare them into payment.

"When it comes to these types of attacks - ransomware attacks - it's all about speed and impact; something that can shock and awe," says Ed Cabrera, chief cybersecurity officer at Trend Micro. "They want to be able to attack as many individuals and organizations as they possibly can, and do it fairly quickly while having the biggest impact."

This particular campaign mostly affected users in Japan (25%), China (10%), and the United States (9%). Forty-five percent of the spam was distributed to more than 70 other countries. Distribution time overlaps with work hours, when more people are likely to be checking email.

Ultimately, says Cabrera, the attackers' motivation is financial gain. This campaign is a sign that threat actors are working on more aggressive means of achieving their goals.

"The intended outcome is to really scare their victims into believing there's no other option than paying," he explains. "The shock value is to improve their financial gain, to improve the odds of them being paid … if they overwhelm their intended victims, they believe they have a better chance."

This is not the first time researchers have seen download URLs pushing a rotation of different malware, as noted in a blog post on the discovery. However, past campaigns have pushed ransomware with information stealers and banking Trojans. The Locky/FakeGlobe combination was seen in a separate August campaign, which first pushed Locky and added FakeGlobe.

The combination of two variants is dangerous for businesses, which are forced to adjust their incident response processes to properly handle these threats. Any attack that increases the risk to operations is something organizations must dedicate time and resources to defend against.

"Each organization should have an incident response plan, but it should be ready for a massive ransomware attack," says Cabrera.

As campaigns work faster to deliver ransomware, as this one does, security teams must accelerate incident response. This means faster correspondence and collaboration with business units and executives, from PR to legal and outside counsel and forensics teams.

Cabrera anticipates more aggressive types of online extortion campaigns outside traditional ransomware. Attackers are also making campaigns more sophisticated with better graphic design in ransom notes and "customer service," or assistance with making payments, he adds.

"It's really the evolution of the criminal underground," he explains. "We've talked about crime-as-a-service for quite some time … these small criminal startups compete with each other to get as many customers as they possibly can."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.