Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/19/2017
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

New Spam Campaign Literally Doubles Down on Ransomware

An upgraded spam campaign alternates Locky and FakeGlobe ransomware, forcing victims to pay twice or lose all their data.

Cybercriminals have launched an upgraded spam campaign pushing both Locky and FakeGlobe ransomware variants in an apparent attempt to overwhelm their victims.

Back in September, Trend Micro researchers discovered a large spam campaign distributing the newest version of Locky ransomware. Since it first appeared in early 2016, Locky has evolved and spread through several distribution methods, specifically spam emails. Attackers have used increasingly sophisticated means to hit users with Locky in more than 70 countries.

They recently found Locky has been combined with FakeGlobe in a single campaign designed to rotate the two. Victims who click a link embedded in a spam email could be hit with Locky one hour, and then FakeGlobe the next. This campaign format heightens the possibility of reinfection, as targets hit with Locky remain vulnerable to FakeGlobe in the rotation.

These emails include a link and attachment disguised as bills or invoices to the user. The script in the attachment is similar to the one inside the archive downloaded from the link, but the two contain different binaries and connect to different URLs for downloads. One downloads a variant of Locky; the other downloads FakeGlobe, or "Globe Imposter," ransomware.

With Locky and FakeGlobe pushed alternately, victims' files can be re-encrypted with a different form of ransomware. This means targets will have to pay twice or permanently lose their data, a tactic their attackers are hoping will scare them into payment.

"When it comes to these types of attacks - ransomware attacks - it's all about speed and impact; something that can shock and awe," says Ed Cabrera, chief cybersecurity officer at Trend Micro. "They want to be able to attack as many individuals and organizations as they possibly can, and do it fairly quickly while having the biggest impact."

This particular campaign mostly affected users in Japan (25%), China (10%), and the United States (9%). Forty-five percent of the spam was distributed to more than 70 other countries. Distribution time overlaps with work hours, when more people are likely to be checking email.

Ultimately, says Cabrera, the attackers' motivation is financial gain. This campaign is a sign that threat actors are working on more aggressive means of achieving their goals.

"The intended outcome is to really scare their victims into believing there's no other option than paying," he explains. "The shock value is to improve their financial gain, to improve the odds of them being paid … if they overwhelm their intended victims, they believe they have a better chance."

This is not the first time researchers have seen download URLs pushing a rotation of different malware, as noted in a blog post on the discovery. However, past campaigns have pushed ransomware with information stealers and banking Trojans. The Locky/FakeGlobe combination was seen in a separate August campaign, which first pushed Locky and added FakeGlobe.

The combination of two variants is dangerous for businesses, which are forced to adjust their incident response processes to properly handle these threats. Any attack that increases the risk to operations is something organizations must dedicate time and resources to defend against.

"Each organization should have an incident response plan, but it should be ready for a massive ransomware attack," says Cabrera.

As campaigns work faster to deliver ransomware, as this one does, security teams must accelerate incident response. This means faster correspondence and collaboration with business units and executives, from PR to legal and outside counsel and forensics teams.

Cabrera anticipates more aggressive types of online extortion campaigns outside traditional ransomware. Attackers are also making campaigns more sophisticated with better graphic design in ransom notes and "customer service," or assistance with making payments, he adds.

"It's really the evolution of the criminal underground," he explains. "We've talked about crime-as-a-service for quite some time … these small criminal startups compete with each other to get as many customers as they possibly can."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.