The New Ransomware Spider


Spider is the new ransomware that is targeting the victims located in the Balkans in what is called a “mid-scale” campaign.

The Spider ransomware is unique in that attackers are given a 96-hour deadline to pay. Attackers also attempt to calm victims, assuring them the ransom payment and file recovery process will be “really easy.” Attackers go one step further and provide a link to a video tutorial on how the Spider ransomware payment and file recovery process works.

Netskope Threat Research labs first spotted the campaign was first spotted on Dec. 10 and shared its finding in a blog post-Tuesday.

Victims are targeted with malicious Office documents sent as attachments as part of an email phishing campaign with the subject line reading “Debt Collection”, according to Google Translate of the Bosnian-language phrase”Potrazivanje dugovanja”.

“These attachments are auto-synced to the enterprise cloud storage and collaborations apps. Netskope Threat Protection detects the decoy document as ‘VB: Trojan.VBA.Agent.QP’ and the downloaded payload as ‘Trojan.GenericKD.12668779’ and ‘Trojan.GenericKD.6290916,’” wrote Netskope researchers.

The malicious Office documents are written in the Bosnian language and contain obfuscated code, according to researchers. If the malicious code is executed a Windows PowerShell launches with instructions to download a malicious Base64 encoded payload hosted on, a free hosting site.

“After downloading the payloads, the PowerShell script decodes the Base64 string and performs XOR operation with the key ‘AlberTI’ to decode the final payloads, which is later saved into executable (.exe) files,” researchers wrote. “The decoded payloads named ‘dec.exe’ and ‘enc.exe’ compiled in .NET are copied to the ‘%APPDATA% /Spider’ directory.”

According to Netskope binary “enc.exe” is the ransomware encryptor and “dec.exe” is the decryptor. The encryptor (enc.exe) encrypts the user’s files using AES encryption and adds the “.spider” extension to encrypted files.

Once files are encrypted the ransomware note is displayed warning that the victim only has 96 hours to pay the ransom in bitcoin to obtain a key to unencrypt a files. “You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted… do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC,” according to the note.

Attackers also walk victims through the payment process, from how to use the Tor Browser and how to obtain a bitcoin for payment. If victims are still confused, the ransomware provides a link to video hosted on a video sharing service that offers a tutorial.

“The video provides instructions to decrypt victims files. We suspect that the video was most likely uploaded by the threat actor group of Spider,” researchers wrote.

To read the original article:


Laisser un commentaire

Next Post

Fortinet's FortiClient Product Exposed VPN Credentials

Updates released by Fortinet for its FortiClient product patch a serious information disclosure vulnerability that can be exploited to obtain VPN authentication credentials. FortiClient is a next-generation endpoint protection product that includes web filtering, application firewall, vulnerability assessment, anti-malware, and SSL and IPsec VPN features for desktop and mobile systems […]