96 Hours To Pay Up Or Spider Ransomware Deletes Your Files

Uploaded on 2017-12-19 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

A new form of ransomware has emerged and is being distributed through malicious Office documents, infecting victims with file-encrypting malware. Uncovered by researchers at Netskope, the 'Spider Virus' ransomware campaign was first detected on December 10 and is ongoing.

Like many ransomware schemes, the attack begins with malicious emails to potential victims. The email subjects and the lure documents indicate the attackers are keen on targeting victims in the Balkans. It's currently unknown where the attackers are operating from.

The malicious Microsoft Office attachment contains obfuscated macro code which, if macros are enabled, allows a PowerShell to download the first stage of the ransomware payload from a host website. Following this, the PowerShell script decodes the Base64 string and performs operations to decode the final payloads in an .exe file, which contains the Spider ransomware encryptor.

PowerShell then launches the encryptor, encrypting the user's files, adding a '.spider' extension to them and then displaying a ransom note.

The note tells the victim they've been infected with the Spider Virus and that they need to make a bitcoin payment for "the right key" in order to get their files back. The attackers also issue a threat that if the payment isn't received within 96 hours, their files will be deleted permanently. They add victims shouldn't "try anything stupid" as the ransomware has "security measures" which delete the files if the victim tries to retrieve them without paying the ransom.

An additional note provides the victim with instructions on how to download the Tor browser required to access the payment site, how to generate a decryption tool, and how to purchase bitcoin.

"This may seem complicated to you, actually it's really easy", the note says, adding that there's also a video tutorial inside a 'help section'. It's common for ransomware distributors to provide this sort of 'service' to victims, because if the victims can't pay the ransom, the criminals won't make money from their campaign. The Spider ransomware is still being distributed in what researchers refer to as a "mid-scale campaign".

As well as educating employees about the danger of ransomware and backing up critical files, businesses can protect themselves from becoming infected by Spider, and many other forms of file-encrypting malware, by removing macros, which are used as an attack vector.

"In addition to disabling macros by default, users must also be cautious of documents that only contain a message to enable macros to view the contents and also not to execute unsigned macros and macros from untrusted sources," said Netscope's Amit Malik.

Because Spider is a brand new form of ransomware, there's currently no free decryption tool available for victims to retrieve files.

ZD Net

You Might Also Read:

Ransomware: Should You Pay The Ransom?:

British Companies Buy Bitcoins As Ransom Money:

Bitcoin Is Increasing Ransom Attacks:

 

« Russia Will Build A Separate Internet Directory
The Current Threat Of Global Cyber Warfare »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Security Innovation

Security Innovation

Security Innovation is a leader in software security assessments and application security training to top organizations worldwide.

CGI Group

CGI Group

CGI is a leading IT and business process services provider. Services include IT consulting, Systems Integration, Application Development, Infrastructure, Business Processes, Digital IP.

Center for Research on Scientific & Technical Information (CERIST)

Center for Research on Scientific & Technical Information (CERIST)

CERIST is a scientific and technical research centre with activities focused in the area of networks, information systems and IT security.

SHIELD

SHIELD

SHIELD is an established end-to-end fraud management solution that blocks fraudulent activities such as account takeovers, fake accounts creation, fraudulent payments, loyalty fraud and more.

Sompo International

Sompo International

Sompo International is a global specialty provider of property and casualty insurance and reinsurance services including Cyber & Network Risk.

oneclick

oneclick

oneclick is a central access and distribution platform in the cloud, enabling the management of the entire technology stack for application provisioning.

Bolster

Bolster

Bolster (formerly RedMarlin) is an AI-based cyber-security platform designed to detect phishing and fraudulent sites in real-time.

Vijilan Security

Vijilan Security

Vijilan provides 24/7 SOC services to MSPs/VARs. Our Security Operations Center is global, and our services are exclusive to the Channel.

Sixteenth Air Force (Air Forces Cyber) - USA

Sixteenth Air Force (Air Forces Cyber) - USA

Air Forces Cyber provides mission integration of Information Warfare at operational and tactical levels, creating dilemmas for adversaries in competition and, if necessary, future conflicts.

Perygee

Perygee

Perygee is a fully integrated platform for operational security. Companies depend on Perygee to identify and streamline the most important security practices for their operations.

Computacenter

Computacenter

Computacenter is a leading independent technology partner, trusted by large corporate and public sector organisations. We help our customers to source, transform and manage their IT infrastructure.

InterSec Inc.

InterSec Inc.

InterSec Inc. is a cybersecurity company that offers a variety of services to small and medium-sized businesses including CMMC Compliance, Program Management, Governance, & Cybersecurity.

Eviden

Eviden

Eviden is an Atos business that brings together its digital, big data and security business lines. It will be a global leader in data-driven, trusted and sustainable digital transformation.

Lansafe

Lansafe

Lansafe stands as a leading managed service provider in the UK, seamlessly integrating IT, Telecoms, Security, Electrical and Cyber Security solutions.

Virtual IT Group (VITG)

Virtual IT Group (VITG)

VITG is a cyber security-focused Managed Service Provider (MSP).

Quantum Knight

Quantum Knight

Quantum Knight is the most performant commercial-grade embeddable cryptography. Lock down any resource from any location or device. Take control of your data now.