Italy is experiencing a rash of ransomware attacks that play dark German rock music while encrypting victims' files.
The musical ransomware, called FTCode, was detected by security analysts at AppRiver in malicious email campaigns directed at Italian Office 365 customers.
Targeted inboxes have received emails with malicious content posing as resumes, invoices, or documents scans. The emails include a Visual Basic script (.vbs) file that downloads and blasts out Rammstein hits while encrypting files on the victim's computer.
"The .vbs file initially launches PowerShell to download and play an mp3 file from archive.org. At first glance, we suspected it was just a renamed file extension for malware, a common practice to help evade some network gateways. However, we were amused to find it launches a Rammstein song mix," wrote AppRiver researchers.
As victims are treated to rousing renditions of "Du Hast" and "Engel," the script reaches out to a different domain to pull down a Jasper malware loader. This .vbs file enables threat actors to load additional malware of their choosing.
Once the files on the user's computer have been encrypted, a note is left on the victim's desktop, directing the user to download, install, and visit an onion site for further instructions.
In an attempt to establish trust with the user and show that decryption is actually possible, the onion site offers the visitor a chance to test file decryption with one file before they pay the full ransom.
The cost of the ransom is set at $500 if paid within the first three days, after which it rapidly increases to $25,000.
David Pickett, security analyst at AppRiver, warned users not to take risks on links sent by strangers and to be particularly wary of any content that asks to be enabled.
He said: "Users should be vigilant to never click on or open unsolicited links or documents, especially with file types they aren’t familiar with, such as script files (.vbs, .js, .ps1, .bat, etc.).
"Any Office file that, once opened, urges the user to Enable Content or Enable Editing should be treated with the utmost caution and verified from the sender out of band before doing so. If the file is malicious, enabling content or editing disables Microsoft’s protected view and can allow a malicious payload contained within to execute."