This post authored by Nick Biasini and Edmund Brumaghin with contributions from Sean Baird and Andrew Windsor.
Executive Summary
Talos is continuously analyzing email based malware always looking at how adversaries change and the new techniques that are being added on an almost constant basis. Recently we noticed some novel ways that adversaries are leveraging Google and Tor2Web proxies to spread a ransomware variant, Cerber 5.0.1.
This particular campaign looks to have started on November 24th and has been ongoing for the past several days. This campaign did not use advanced techniques that we sometimes see used by adversaries that include well written, professional looking emails, with legitimate signature blocks or other identifying characteristics. In this campaign, the emails were anything but professional. However, they did vary significantly with what we typically see from a ransomware distribution perspective.
Today, spam based ransomware infections are heavily skewed toward Locky. The majority of spam messages we see today are affiliates producing large amounts of spam that leverage various types of script-based file extensions to download the Locky executable and infect systems. This campaign looked different in that the messages didn’t contain an attachment and were extremely short and basic. What we found was a potential next evolution for ransomware distribution that relies more heavily on Tor to obfuscate their activity and hinder the ability to shut down servers that are hosting the malicious content.
This is amazing. My colleague just had this kind of experience this week. he trying to use recovery tools to get its files back.
Threats like these are so real and folks don’t take it seriously. My co-author and I try to add some real use scenarios in The Enigma Factor, The Enigma Gamers, and others in the series to help explain the ramifications of hacker success versus the masses.