Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/19/2017
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

New Spam Campaign Literally Doubles Down on Ransomware

An upgraded spam campaign alternates Locky and FakeGlobe ransomware, forcing victims to pay twice or lose all their data.

Cybercriminals have launched an upgraded spam campaign pushing both Locky and FakeGlobe ransomware variants in an apparent attempt to overwhelm their victims.

Back in September, Trend Micro researchers discovered a large spam campaign distributing the newest version of Locky ransomware. Since it first appeared in early 2016, Locky has evolved and spread through several distribution methods, specifically spam emails. Attackers have used increasingly sophisticated means to hit users with Locky in more than 70 countries.

They recently found Locky has been combined with FakeGlobe in a single campaign designed to rotate the two. Victims who click a link embedded in a spam email could be hit with Locky one hour, and then FakeGlobe the next. This campaign format heightens the possibility of reinfection, as targets hit with Locky remain vulnerable to FakeGlobe in the rotation.

These emails include a link and attachment disguised as bills or invoices to the user. The script in the attachment is similar to the one inside the archive downloaded from the link, but the two contain different binaries and connect to different URLs for downloads. One downloads a variant of Locky; the other downloads FakeGlobe, or "Globe Imposter," ransomware.

With Locky and FakeGlobe pushed alternately, victims' files can be re-encrypted with a different form of ransomware. This means targets will have to pay twice or permanently lose their data, a tactic their attackers are hoping will scare them into payment.

"When it comes to these types of attacks - ransomware attacks - it's all about speed and impact; something that can shock and awe," says Ed Cabrera, chief cybersecurity officer at Trend Micro. "They want to be able to attack as many individuals and organizations as they possibly can, and do it fairly quickly while having the biggest impact."

This particular campaign mostly affected users in Japan (25%), China (10%), and the United States (9%). Forty-five percent of the spam was distributed to more than 70 other countries. Distribution time overlaps with work hours, when more people are likely to be checking email.

Ultimately, says Cabrera, the attackers' motivation is financial gain. This campaign is a sign that threat actors are working on more aggressive means of achieving their goals.

"The intended outcome is to really scare their victims into believing there's no other option than paying," he explains. "The shock value is to improve their financial gain, to improve the odds of them being paid … if they overwhelm their intended victims, they believe they have a better chance."

This is not the first time researchers have seen download URLs pushing a rotation of different malware, as noted in a blog post on the discovery. However, past campaigns have pushed ransomware with information stealers and banking Trojans. The Locky/FakeGlobe combination was seen in a separate August campaign, which first pushed Locky and added FakeGlobe.

The combination of two variants is dangerous for businesses, which are forced to adjust their incident response processes to properly handle these threats. Any attack that increases the risk to operations is something organizations must dedicate time and resources to defend against.

"Each organization should have an incident response plan, but it should be ready for a massive ransomware attack," says Cabrera.

As campaigns work faster to deliver ransomware, as this one does, security teams must accelerate incident response. This means faster correspondence and collaboration with business units and executives, from PR to legal and outside counsel and forensics teams.

Cabrera anticipates more aggressive types of online extortion campaigns outside traditional ransomware. Attackers are also making campaigns more sophisticated with better graphic design in ransom notes and "customer service," or assistance with making payments, he adds.

"It's really the evolution of the criminal underground," he explains. "We've talked about crime-as-a-service for quite some time … these small criminal startups compete with each other to get as many customers as they possibly can."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.
CVE-2012-1592
PUBLISHED: 2019-12-05
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.