A new strain of ransomware discovered by security researchers encrypts files and gives victims a 96-hours deadline to pay the ransom.
The “mid-scale” campaign was first discovered on December 10, targeting users in the Balkans and the Bosnia and Herzegovina region. The campaign spreads via phishing emails with the subject line that reads “Debt Collection” and includes a malicious Office document with obfuscated code where – if macros are enabled – enables a PowerShell to download the initial stage of the ransomware payload from a malicious host’s website.
When executed, the PowerShell script decodes the Base64 string and performs operations to decode the final payloads saved as executable files. These executables contain the ransomware encryptor. When the PowerShell launches the encryptor, the malicious code proceeds to encrypt the user’s files before adding a “spider” extension that is complete with a ransom note.
“In addition to disabling macros by default, users must also be cautious of documents that only contain a message to enable macros to view the contents and also not to execute unsigned macros and macros from untrusted sources,” said Netscope’s Amit Malik.
“Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool,” the ransomware note reads. “The good news is that there is still a chance to recover your files, you just need to have the right key.”
Further, the ransomware decryptor also monitors the system’s processes and keeps the user from opening any windows utilities.
“Remember, do not try anything stupid,” the ransom note reads with the cybercriminals threatening to permanently delete the user’s files if they don’t receive the payment within 96 hours.
An additional note delivers instructions to the victim on how to download the Tor browser used to access the perpetrator’s payment site, generating a decryption tool and how to purchase bitcoin, a cryptocurrency.
Since the ransomware is a relatively new strain, there’s no free decryption tool available for victims to decrypt and regain access to their files.
Image credit: Pexels.