As has been pointed out in numerous security research papers, ransomware is a lucrative cybercriminal tactic. Just in 2017 alone, malware has caused upwards of $5 billion in damages and that number is only expected to climb as long as ransomware proves effective. The unfortunate reality is that ransomware is still very much an effective form of attack due to the effective social engineering behind it and the gullibility of the victims. The malicious software has numerous styles and targets, and now reports show that yet another ransomware variant has added itself to the mix. In a report by Netskope’s Amit Malik, the security researcher detailed a nasty form of ransomware that is targeting users in the Balkan region. Given the name Spider ransomware by researchers, the malware is launched from fake Microsoft Office documents that are sent via email attachment with the Bosnian subject line “potrazivanje dugovanja,” which means “debt collection.” The malicious documents launch Spider’s payload, which is also written in Bosnian. It is obvious that the main targets are citizens of Bosnia and Herzegovina.
The payload itself is a macro code that is hidden and secretly launched/downloaded in PowerShell. See the code below:
Netskope
Netskope analyzed the infection process even further, stating:
After downloading the payloads, the PowerShell script decodes the Base64 string and performs XOR operation with the key “AlberTI” to decode the final payloads, which is later saved into executable (.exe) files. The decoded payloads named “dec.exe” and “enc.exe” compiled in .NET are copied to the “%APPDATA% /Spider” directory.
Soon all of the files on the machine become encrypted and users are met with the message below:
Netskope
Users, should they decide to pay the ransom, are then given a walkthrough of how to decrypt their files as seen below:
Netskope
To lower the risk of the Spider ransomware infection, Netskope first recommends disabling macros by default and also exercising caution with any attachment (which is just common sense). Ultimately, the macro ransomware attack is a long-standing issue that has continued to surface because it is still enormously effective. The only way that ransomware like Spider will go away is to become educated on practicing a continuously defensive posture when using a computer.
Sachith H M 