The Trend Micro security team warns that a brand new type of ransomware is being spread out via a Netflix login generator.
Netflix has always been among the high-priority targets of hackers. There are 93 million users in its subscriber base, situated in more than 190 countries, and its stolen credentials can be abused in a number of different ways.
Cyber criminals often try to monetize compromised accounts by selling them on the dark web or by exploiting server vulnerabilities, as well as for the distribution of Trojans to steal the financial and personal information of PC users.
The latest method in which miscreants are leveraging stolen Netflix credentials is the so called “ransomware distribution”, and this attack method is rather straightforward. The interested parties are lured with free Netflix accounts via a login generator which has been packed with malicious code.
The new ransomware has been registered as RANSOM_ NETIX.A, it’s targeting Windows 7 and Windows 10 computers and immediately terminates itself if it runs on a different platform version.
The Trend Micro team claims that the login generator is usually used in software and account membership piracy, which can be seen on websites for cracked applications.
Once the PC user executes the Netflix login generator, the executable makes another copy of itself (netprotocol.exe) and executes. The main window of the program offers users a button to generate logins, which displays another prompt window as soon as someone clicks it.
Most probably, the second window displays the login information of a genuine Netflix account. Nevertheless, these promps and windows are fake, and the ransomware uses them only to distract users while the virus has already started to encrypt files in the background.
According to the security experts, the malware targets 39 file types which could be found under the C:\Users directory. Also, the ransomware uses AES-256 encryption and appends the .se extension to the affected files.
When completing the encryption process, the malware displays ransom notes to the victims, demanding $100 worth of Bitcoin (0.18 BTC).
Besides, the malware was observed connecting to its command and control (C&C) servers to send and receive information (customizing the ID number, for instance) and to download the ransom notes. One of these notes is set as the wallpaper of the infected computer.
“Malefactors are diversifying the personal accounts they target. Phished Netflix accounts, for instance, are an attractive commodity because one can be used simultaneously by different IP addresses. In turn, the victim doesn’t immediately notice the fraud—as long as it’s not topping the device limit. This highlights the significance for end users to keep their subscription accounts safe from crooks,” Trend Micro states.
The incident implies the importance of keeping a good account security to ensure that one’s credentials don’t end up being used by malicious actors, or by the risks related to the pirating content. In other words, users should not only consider the ransom amount when thinking about ransomware, but also the fact that there is a possibility which they might never get their files back, even if they pay.
“Bad guys need only hack a modicum of weakness for which no patch is available—the human psyche. Social engineering is a vital component in this scam, so users should be smarter: don’t download or click ads promising the impossible. If the deal sounds too good to be true, it usually is,” Trend Micro notes.
