A ransomware named Spider has been crawling around the web, using decoy documents to lure victims in the Balkans into its lair with threats of “debt collection”.
According to Netskope Threat Research Labs, once infected, victims are given 96 hours to pay (that’s four days, for the mathematically challenged among us)—an unusually generous payment window for ransomware. The authors also take pains to calm their victims, assuring them that file recovery is “really easy,” even going so far as to provide a handy video showing just how the process works and a help section, which contains the links and references to the resources needed to make the payment.
“This ongoing campaign, identified on the 10th December, uses decoy Office documents which usually arrive as email attachments,” said Amit Malik, researcher for cloud security at Netskope Threat Research Labs, in an analysis. “These attachments are auto-synced to the enterprise cloud storage and collaborations apps.”
That Office document is written in the Bosnian language, indicating that the threat actors are specifically targeting the Bosnia and Herzegovina region. Once Spider ransomware encrypts the files, its warning message also provides language translation into its user interface—indicating that the malware could be tweaked for other regions.
No matter how empathetic the attackers may seem, Spider’s emergence shows that “ransomware continues to evolve and prevail as a top threat to all verticals in many organizations,” Malik said. “The addition of Spider ransomware as a new cob in the increasing ransomware web is a classic example. We continue to see an increase of decoy Office documents as an attack vector in spreading ransomware like GlobeImposter tied to several active and ongoing campaigns. As ransomware continues to evolve, administrators should educate employees about the impact of ransomware and ensure the protection of the organization’s data by making a regular backup of critical data.”
Macros are the main infection vector here, so to avoid getting caught in Spider’s silk, users should disable macros by default, and also be cautious of documents that contain only a message to enable macros to view the contents, especially unsigned macros and macros from untrusted sources.