A new type of ransomware has been detected by the threat research labs named Spider propagating in a mid-scale campaign. This ongoing campaign has detected the ‘Spider Virus’ ransomware on December 10.
Just like many ransomware, the attack begins with a malicious email to potential victims. The email subjects and the lure documents indicate that the threat actor is keen on targeting the victims of Bosnia and Herzegovina region.
The attacker also pointed a threat that if the payment is not received within 96 hours, their files will be deleted permanently. They add victims shouldn’t “try anything stupid” as the ransomware has “security measures” which delete the files if the victim tries to retrieve them without paying the ransom.
The malicious Microsoft Office attachment includes confused macro code. If the macros are enabled then it permits a PowerShell to download the first stage of the ransomware payload from a host website. Followed by, the PowerShell script decodes the Base64 string and performs operations to decode the final payloads in a .exe file that contains the Spider ransomware encryptor.
Powershell then introduces the encryptor, encrypting the user’s files, adding a ‘spider extension to them and displaying a ransom note. The spider ransomware also maintains the list of files that it has encrypted in the ‘files.txt’.
Once Spider ransomware encrypts the files, a warning message will be displayed. The warning message also provides language translation into its user interface. The warning message provides a descriptive message on how to decrypt files. It also provides a help section which includes the links and references to the resources needed to make the payment to the attacker.
The researchers also recommend how to combat malware and threat. That includes:
Regularly back up and turn on versioning for critical content in cloud services
Enable the “View known file extensions” option on Windows machines
Warn users to avoid executing any file unless they are very sure that they are benign
Warn users against opening untrusted attachments, regardless of their extensions or filenames
Warn users to avoid executing unsigned macros and macros from an untrusted source, unless they are very sure that they are benign
Enterprise users should always keep their systems and Antivirus updated with the latest releases and patches.