Jump to content

Double trouble: This ransomware campaign could infect your PC with two types of file-locking malware


Recommended Posts

Posted

Victims around the world hit by criminals who can switch the malicious payload of emails between Locky and FakeGlobal on a whim.

 

904bf6649307534d2edf0affaf617d45.jpg

 

Being infected by one form of ransomware is bad enough, but those unfortunate to fall victim to a new cybercriminal campaign could find themselves having to pay to decrypt their files not once, but twice.

 

While a widespread email spam campaign with the intention of distributing ransomware isn't anything new, those behind a scheme detected during September have added a twist to this tried and testing technique: rotating the ransomware payload.

 

The two forms of ransomware distributed by this scheme are Locky - which has recently seen something of resurgence - and FakeGlobe, which first appeared in June.

Those behind the campaign have designed it so the payload can be swapped, meaning the spam email might deliver Locky one hour then FakeGlobe the next.

 

Uncovered by cyber security researchers at Trend Micro, the nature of the campaign means it's possible for victims infected by one form of ransomware to still be vulnerable to a further attack from the next one in the rotation.

 

While it isn't the first time the same malicious servers has been seen to serve different malware in rotation - attackers have previously paired the likes of Trojans with ransomware - doubling up on ransomware was previously uncommon, but this new development is dangerous for victims who could give in and pay a ransom, only to find that they become infected again.

 

Hundreds of thousands of phishing emails disguised as bills and online invoices were distributed to potential victims around the world, encouraging the target to click on a link to view a bill.

 

That link contains a zip file which, once opened, runs a script to connect to a URL for downloading the ransomware payload - Locky or FakeGlobe.

 

Researchers believe that the payload changes every few hours, meaning that it's possible for one computer on a network to become infected with ransomware - and give into the ransom demand - before someone else on the network manages to fall victim to the other ransomware a few hours later.

 

"Since Locky and FakeGlobe are being pushed alternately, files can be re-encrypted with a different ransomware.

Victims will have to pay twice or worse, lose their data permanently," said Trend Micro researchers.

 

While exact figures for the number of infections by this campaign aren't known, it's thought that using this distribution method to deliver ransomware in rotation has infected users in more than 70 countries, including Japan, China, the United States and Germany.

 

This latest development is stark reminders that while it's already a successful enterprise for criminals, ransomware is always evolving.

 

Since the campaign, Locky itself has evolved once again, with a researcher at Stormshield uncovering a new variant of the ransomware, Ykcol, which represents a reverse spelling of Locky.

Previous new variants which have appeared in recent times include Diablo and Lukitus.

 

 

Source:

http://www.zdnet.com/article/double-trouble-this-ransomware-campaign-could-infect-your-pc-with-two-types-of-file-locking-malware/#ftag=RSSbaffb68

76c90dd0e79a714317a8daeecc1584d2.png

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...