Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/19/2017
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

New Spam Campaign Literally Doubles Down on Ransomware

An upgraded spam campaign alternates Locky and FakeGlobe ransomware, forcing victims to pay twice or lose all their data.

Cybercriminals have launched an upgraded spam campaign pushing both Locky and FakeGlobe ransomware variants in an apparent attempt to overwhelm their victims.

Back in September, Trend Micro researchers discovered a large spam campaign distributing the newest version of Locky ransomware. Since it first appeared in early 2016, Locky has evolved and spread through several distribution methods, specifically spam emails. Attackers have used increasingly sophisticated means to hit users with Locky in more than 70 countries.

They recently found Locky has been combined with FakeGlobe in a single campaign designed to rotate the two. Victims who click a link embedded in a spam email could be hit with Locky one hour, and then FakeGlobe the next. This campaign format heightens the possibility of reinfection, as targets hit with Locky remain vulnerable to FakeGlobe in the rotation.

These emails include a link and attachment disguised as bills or invoices to the user. The script in the attachment is similar to the one inside the archive downloaded from the link, but the two contain different binaries and connect to different URLs for downloads. One downloads a variant of Locky; the other downloads FakeGlobe, or "Globe Imposter," ransomware.

With Locky and FakeGlobe pushed alternately, victims' files can be re-encrypted with a different form of ransomware. This means targets will have to pay twice or permanently lose their data, a tactic their attackers are hoping will scare them into payment.

"When it comes to these types of attacks - ransomware attacks - it's all about speed and impact; something that can shock and awe," says Ed Cabrera, chief cybersecurity officer at Trend Micro. "They want to be able to attack as many individuals and organizations as they possibly can, and do it fairly quickly while having the biggest impact."

This particular campaign mostly affected users in Japan (25%), China (10%), and the United States (9%). Forty-five percent of the spam was distributed to more than 70 other countries. Distribution time overlaps with work hours, when more people are likely to be checking email.

Ultimately, says Cabrera, the attackers' motivation is financial gain. This campaign is a sign that threat actors are working on more aggressive means of achieving their goals.

"The intended outcome is to really scare their victims into believing there's no other option than paying," he explains. "The shock value is to improve their financial gain, to improve the odds of them being paid … if they overwhelm their intended victims, they believe they have a better chance."

This is not the first time researchers have seen download URLs pushing a rotation of different malware, as noted in a blog post on the discovery. However, past campaigns have pushed ransomware with information stealers and banking Trojans. The Locky/FakeGlobe combination was seen in a separate August campaign, which first pushed Locky and added FakeGlobe.

The combination of two variants is dangerous for businesses, which are forced to adjust their incident response processes to properly handle these threats. Any attack that increases the risk to operations is something organizations must dedicate time and resources to defend against.

"Each organization should have an incident response plan, but it should be ready for a massive ransomware attack," says Cabrera.

As campaigns work faster to deliver ransomware, as this one does, security teams must accelerate incident response. This means faster correspondence and collaboration with business units and executives, from PR to legal and outside counsel and forensics teams.

Cabrera anticipates more aggressive types of online extortion campaigns outside traditional ransomware. Attackers are also making campaigns more sophisticated with better graphic design in ransom notes and "customer service," or assistance with making payments, he adds.

"It's really the evolution of the criminal underground," he explains. "We've talked about crime-as-a-service for quite some time … these small criminal startups compete with each other to get as many customers as they possibly can."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.