96 Hours To Pay Up Or Spider Ransomware Deletes Your Files

Uploaded on 2017-12-19 in NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

A new form of ransomware has emerged and is being distributed through malicious Office documents, infecting victims with file-encrypting malware. Uncovered by researchers at Netskope, the 'Spider Virus' ransomware campaign was first detected on December 10 and is ongoing.

Like many ransomware schemes, the attack begins with malicious emails to potential victims. The email subjects and the lure documents indicate the attackers are keen on targeting victims in the Balkans. It's currently unknown where the attackers are operating from.

The malicious Microsoft Office attachment contains obfuscated macro code which, if macros are enabled, allows a PowerShell to download the first stage of the ransomware payload from a host website. Following this, the PowerShell script decodes the Base64 string and performs operations to decode the final payloads in an .exe file, which contains the Spider ransomware encryptor.

PowerShell then launches the encryptor, encrypting the user's files, adding a '.spider' extension to them and then displaying a ransom note.

The note tells the victim they've been infected with the Spider Virus and that they need to make a bitcoin payment for "the right key" in order to get their files back. The attackers also issue a threat that if the payment isn't received within 96 hours, their files will be deleted permanently. They add victims shouldn't "try anything stupid" as the ransomware has "security measures" which delete the files if the victim tries to retrieve them without paying the ransom.

An additional note provides the victim with instructions on how to download the Tor browser required to access the payment site, how to generate a decryption tool, and how to purchase bitcoin.

"This may seem complicated to you, actually it's really easy", the note says, adding that there's also a video tutorial inside a 'help section'. It's common for ransomware distributors to provide this sort of 'service' to victims, because if the victims can't pay the ransom, the criminals won't make money from their campaign. The Spider ransomware is still being distributed in what researchers refer to as a "mid-scale campaign".

As well as educating employees about the danger of ransomware and backing up critical files, businesses can protect themselves from becoming infected by Spider, and many other forms of file-encrypting malware, by removing macros, which are used as an attack vector.

"In addition to disabling macros by default, users must also be cautious of documents that only contain a message to enable macros to view the contents and also not to execute unsigned macros and macros from untrusted sources," said Netscope's Amit Malik.

Because Spider is a brand new form of ransomware, there's currently no free decryption tool available for victims to retrieve files.

ZD Net

You Might Also Read:

Ransomware: Should You Pay The Ransom?:

British Companies Buy Bitcoins As Ransom Money:

Bitcoin Is Increasing Ransom Attacks:

 

« Russia Will Build A Separate Internet Directory
The Current Threat Of Global Cyber Warfare »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Globalscape

Globalscape

Globalscape is a leader in secure data exchange solutions.

Opscura

Opscura

Opscura (formerly Enigmedia) brings the reliable and cautious hands of operations together with the analytical minds of cyber experts and cryptography researchers.

Nixu

Nixu

Nixu is the largest Nordic specialist company in information security consulting.

Security Brokers

Security Brokers

Security Brokers focus services and solutions with a focus on strategic ICT Security and Cyber Defense issues.

STM

STM

STM provides system engineering, technical support, project management, technology transfer and logistics support services for the Turkish Armed Forces.

Get Safe Online

Get Safe Online

Get Safe Online is a leading source of unbiased, factual and easy-to-understand information on online safety.

Rizikon Assurance

Rizikon Assurance

Rizikon Assurance is an Online System that improves Third-Party Assurance and Risk Management, through efficiency, automation and better visibility.

Marlabs

Marlabs

Marlabs is a Digital Technology Solutions company that helps companies adopt digital transformation using a comprehensive framework including Digital Automation, Enterprise Analytics and Security.

TestArmy

TestArmy

TestArmy CyberForces provide you with a broad spectrum of cybersecurity services to test every aspect of your IT infrastructure security and software development process.

LogicalTrust

LogicalTrust

LogicalTrust security testing specialists find the weakest points in your company and show you how to fix them step-by-step, as well as how to improve your security.

Gray Analytics

Gray Analytics

Gray Analytics is a Cybersecurity Risk Management company providing best-practice services across a broad spectrum of cyber scenarios for both government and commercial customers.

Locuz

Locuz

At Locuz, we’ve made it our mission to help businesses like yours create an actionable digital strategy.

RiverSafe

RiverSafe

RiverSafe is a professional services provider specialising in Cyber Security, Data Operations and DevOps, putting security at the heart of everything we do.

Cyber Proud

Cyber Proud

Cyber proud is leading a talent revolution to promote and create an inclusive skilled cyber workforce.

Oduma Solutions

Oduma Solutions

Oduma Solutions is a wholly owned Ghanaian Cybersecurity company that offers information security services to organisations seeking to improve their security posture.

ProvenRun

ProvenRun

ProvenRun is a leading provider of trusted software solutions with extensive expertise and an unwavering commitment to security.