Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

9/19/2017
04:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

New Spam Campaign Literally Doubles Down on Ransomware

An upgraded spam campaign alternates Locky and FakeGlobe ransomware, forcing victims to pay twice or lose all their data.

Cybercriminals have launched an upgraded spam campaign pushing both Locky and FakeGlobe ransomware variants in an apparent attempt to overwhelm their victims.

Back in September, Trend Micro researchers discovered a large spam campaign distributing the newest version of Locky ransomware. Since it first appeared in early 2016, Locky has evolved and spread through several distribution methods, specifically spam emails. Attackers have used increasingly sophisticated means to hit users with Locky in more than 70 countries.

They recently found Locky has been combined with FakeGlobe in a single campaign designed to rotate the two. Victims who click a link embedded in a spam email could be hit with Locky one hour, and then FakeGlobe the next. This campaign format heightens the possibility of reinfection, as targets hit with Locky remain vulnerable to FakeGlobe in the rotation.

These emails include a link and attachment disguised as bills or invoices to the user. The script in the attachment is similar to the one inside the archive downloaded from the link, but the two contain different binaries and connect to different URLs for downloads. One downloads a variant of Locky; the other downloads FakeGlobe, or "Globe Imposter," ransomware.

With Locky and FakeGlobe pushed alternately, victims' files can be re-encrypted with a different form of ransomware. This means targets will have to pay twice or permanently lose their data, a tactic their attackers are hoping will scare them into payment.

"When it comes to these types of attacks - ransomware attacks - it's all about speed and impact; something that can shock and awe," says Ed Cabrera, chief cybersecurity officer at Trend Micro. "They want to be able to attack as many individuals and organizations as they possibly can, and do it fairly quickly while having the biggest impact."

This particular campaign mostly affected users in Japan (25%), China (10%), and the United States (9%). Forty-five percent of the spam was distributed to more than 70 other countries. Distribution time overlaps with work hours, when more people are likely to be checking email.

Ultimately, says Cabrera, the attackers' motivation is financial gain. This campaign is a sign that threat actors are working on more aggressive means of achieving their goals.

"The intended outcome is to really scare their victims into believing there's no other option than paying," he explains. "The shock value is to improve their financial gain, to improve the odds of them being paid … if they overwhelm their intended victims, they believe they have a better chance."

This is not the first time researchers have seen download URLs pushing a rotation of different malware, as noted in a blog post on the discovery. However, past campaigns have pushed ransomware with information stealers and banking Trojans. The Locky/FakeGlobe combination was seen in a separate August campaign, which first pushed Locky and added FakeGlobe.

The combination of two variants is dangerous for businesses, which are forced to adjust their incident response processes to properly handle these threats. Any attack that increases the risk to operations is something organizations must dedicate time and resources to defend against.

"Each organization should have an incident response plan, but it should be ready for a massive ransomware attack," says Cabrera.

As campaigns work faster to deliver ransomware, as this one does, security teams must accelerate incident response. This means faster correspondence and collaboration with business units and executives, from PR to legal and outside counsel and forensics teams.

Cabrera anticipates more aggressive types of online extortion campaigns outside traditional ransomware. Attackers are also making campaigns more sophisticated with better graphic design in ransom notes and "customer service," or assistance with making payments, he adds.

"It's really the evolution of the criminal underground," he explains. "We've talked about crime-as-a-service for quite some time … these small criminal startups compete with each other to get as many customers as they possibly can."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3349
PUBLISHED: 2019-11-19
lightdm before 0.9.6 writes in .dmrc and Xauthority files using root permissions while the files are in user controlled folders. A local user can overwrite root-owned files via a symlink, which can allow possible privilege escalation.
CVE-2019-10080
PUBLISHED: 2019-11-19
The XMLFileLookupService in NiFi versions 1.3.0 to 1.9.2 allowed trusted users to inadvertently configure a potentially malicious XML file. The XML file has the ability to make external calls to services (via XXE) and reveal information such as the versions of Java, Jersey, and Apache that the NiFI ...
CVE-2019-10083
PUBLISHED: 2019-11-19
When updating a Process Group via the API in NiFi versions 1.3.0 to 1.9.2, the response to the request includes all of its contents (at the top most level, not recursively). The response included details about processors and controller services which the user may not have had read access to.
CVE-2019-12421
PUBLISHED: 2019-11-19
When using an authentication mechanism other than PKI, when the user clicks Log Out in NiFi versions 1.0.0 to 1.9.2, NiFi invalidates the authentication token on the client side but not on the server side. This permits the user's client-side token to be used for up to 12 hours after logging out to m...
CVE-2019-19126
PUBLISHED: 2019-11-19
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR ...