96 Hours To Pay Up Or Spider Ransomware Deletes Your Files

Uploaded on 2017-12-19 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

A new form of ransomware has emerged and is being distributed through malicious Office documents, infecting victims with file-encrypting malware. Uncovered by researchers at Netskope, the 'Spider Virus' ransomware campaign was first detected on December 10 and is ongoing.

Like many ransomware schemes, the attack begins with malicious emails to potential victims. The email subjects and the lure documents indicate the attackers are keen on targeting victims in the Balkans. It's currently unknown where the attackers are operating from.

The malicious Microsoft Office attachment contains obfuscated macro code which, if macros are enabled, allows a PowerShell to download the first stage of the ransomware payload from a host website. Following this, the PowerShell script decodes the Base64 string and performs operations to decode the final payloads in an .exe file, which contains the Spider ransomware encryptor.

PowerShell then launches the encryptor, encrypting the user's files, adding a '.spider' extension to them and then displaying a ransom note.

The note tells the victim they've been infected with the Spider Virus and that they need to make a bitcoin payment for "the right key" in order to get their files back. The attackers also issue a threat that if the payment isn't received within 96 hours, their files will be deleted permanently. They add victims shouldn't "try anything stupid" as the ransomware has "security measures" which delete the files if the victim tries to retrieve them without paying the ransom.

An additional note provides the victim with instructions on how to download the Tor browser required to access the payment site, how to generate a decryption tool, and how to purchase bitcoin.

"This may seem complicated to you, actually it's really easy", the note says, adding that there's also a video tutorial inside a 'help section'. It's common for ransomware distributors to provide this sort of 'service' to victims, because if the victims can't pay the ransom, the criminals won't make money from their campaign. The Spider ransomware is still being distributed in what researchers refer to as a "mid-scale campaign".

As well as educating employees about the danger of ransomware and backing up critical files, businesses can protect themselves from becoming infected by Spider, and many other forms of file-encrypting malware, by removing macros, which are used as an attack vector.

"In addition to disabling macros by default, users must also be cautious of documents that only contain a message to enable macros to view the contents and also not to execute unsigned macros and macros from untrusted sources," said Netscope's Amit Malik.

Because Spider is a brand new form of ransomware, there's currently no free decryption tool available for victims to retrieve files.

ZD Net

You Might Also Read:

Ransomware: Should You Pay The Ransom?:

British Companies Buy Bitcoins As Ransom Money:

Bitcoin Is Increasing Ransom Attacks:

 

« Russia Will Build A Separate Internet Directory
The Current Threat Of Global Cyber Warfare »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

LogRhythm

LogRhythm

LogRhythm's security platform unifies SIEM, log management, network and endpoint monitoring, user behaviour analytics, security automation and advanced security analytics.

Okta

Okta

Okta is an enterprise-grade identity management service, built from the ground up in the cloud to address the challenges of a cloud-mobile-interconnected world.

OCERT

OCERT

OCERT is the National Computer Emergency Response Team of Oman.

Datiphy

Datiphy

Datiphy's data-centric security platform uses behavioral analytics, and data-centric auditing and protection capabilities to mitigate risk.

National Cyber Security Centre (CNCS) - Portugal

National Cyber Security Centre (CNCS) - Portugal

CNCS is the operational coordinator and Portuguese national authority in cybersecurity working with State entities, and digital service providers

Cymbel

Cymbel

Cymbel provides businesses and government agencies with the tools and expertise they need to manage the most complex security and compliance challenges.

MER Group

MER Group

MER Group is a world-leading solutions provider specializing in Homeland Security (HLS), Cyber and Intelligence, Communication Infrastructure and Tactical Communication Systems.

Ritz

Ritz

Ritz is the largest holistic pure-play cyber security solutions provider in Myanmar.

LightEdge Solutions

LightEdge Solutions

LightEdge’s highly-trained compliance and security experts take the guesswork out of keeping your business protected.

HCC Embedded

HCC Embedded

HCC’s mission is to ensure that data stored or communicated by an embedded IoT application is secure, safe and reliable.

Innovasec

Innovasec

Innovasec provide information security consulting and training services.

Get Indemnity

Get Indemnity

Get Indemnity are specialist insurance brokers with experience working on a wide range of innovative business insurance products that combine risk management, indemnity and incident response services.

LOGbinder

LOGbinder

LOGbinder eliminates blind spots in security intelligence for endpoints and applications.

Viakoo

Viakoo

Viakoo is an Enterprise IoT Applications Management company providing performance, security, and compliance. Viakoo enables you to be proactive in maintaining cyber hygiene and protecting your network

Secret Intelligence Service (SIS - MI6)

Secret Intelligence Service (SIS - MI6)

The UK’s Secret Intelligence Service, also known as MI6, has three core aims: stopping terrorism, disrupting the activity of hostile states, and giving the UK a cyber advantage.

Keeran Networks

Keeran Networks

Established in Edmonton in 1999, Keeran specializes in delivering comprehensive IT support and solutions aimed at optimizing technology investments for businesses.