The “Merry Christmas” ransomware is back for the second time in the new year—but now uses a different spam lure.
First spotted giving the gift that keeps on giving (or encrypting, at least), the Merry Christmas campaign was assumed to be a seasonal one-off gambit, giving out ransomware distributed through malicious spam disguised as FTC consumer complaints.
For this second campaign, crooks are distributing Merry Christmas using emails posing as court attendance notices.
“It seemed odd to find Christmas-themed ransomware two weeks after Christmas; however, Orthodox Christian communities celebrate Christmas on January 7,” explained researchers at SANS Institute, in an analysis. “Ultimately, such Christmas-themed ransomware isn't odd if it's from a Russian actor.”
Just like the first wave, emails include links that download files from an online server that contain macro scripts. If allowed to execute, they in turn download and install the latest version of the Merry Christmas ransomware. The ransom notifications for the two campaigns also have identical text; but Sunday's image featured Robot Santa Claus from the TV show Futurama.
“Which is appropriate, since that character is quite evil,” SANS noted.
The researchers also noted that changing the name going forward might be a good idea. “MRCR1 is one of the file extensions seen for the encrypted files from last week's sample,” they wrote. “That might be a good name for this ransomware, especially if we see it again later using some other theme.”
At least one other researcher expects to see the code make more appearances in the future.
“Creating malware can be like walking down an exploit buffet line,” Travis Smith, senior security research engineer at Tripwire, said via email. “Being able to reuse code is done every day by software engineers all over the world—cyber-criminals are no different. If the people behind a malware campaign are looking to make a few extra bucks, adding in a ransomware component would be trivial.”
As always, organizations should be wary of paying the ransom and expecting everything to go back to normal.
“It's important to know that when you pay a ransom, the only "guarantee" is that the decryption key to your files will be provided,” Smith said. “There are no instances of a ransomware note which says it will remove any other malware. Restoring access to files, by paying the ransom or not, is just the first step in responding to ransomware. Understanding where and how the malware got in can not only protect against future infections, but also open the opportunity to completely eradicate the malware from the environment.”
Photo © characters for your