Emerging Threat Ransomware with Alternating Payload

Recently, there has been an active email campaign spreading two distinct types of ransomware: Locky and FakeGlobe. While Locky is well known and has been observed since early 2016, FakeGlobe has emerged since June 2017.
 
The ransomware uses a rotation technique, that is, the ransomware payload is swapped in one hour. The nature of the ransomware is that targeted organization infected by one of the ransomware is still highly vulnerable to the other ransomware, leading to files being encrypted twice. Payment have to be made twice to recover the files and system.
 
The email lures are in the form of invoices and billings requesting to be paid. The email contains a link to view the payment details and which when clicked upon leads to an archive(zip) file. When the user opens that file, it runs a script to connect to a URL for downloading the ransomware, either Locky or FakeGlobe.
 
Both Locky and FakeGlobe target systems running the Microsoft Windows operating systems.
 
The alternating ransomware poses a huge threat to targeted organizations across many countries; victims have to pay twice or in the worst case, lose their data permanently.
 
According to researchers, a new ransomware has emerged on the surface, infecting its victims with two alternating types of ransomwares (Locky and FakeGlobe), forcing the infected victims to pay twice, else lose their data permanently.
 
The nature of the cyberattack is that it can rotate the ransomware payload in the next hour after the initial infection, prompting the victim for double payment to recover their files or system.
 
The design of the campaign is such that clicking on a link provided in the spam mail will deliver Locky for one hour and then FakeGlobe the next. This makes re-infection a high possibility, infected victims are prone to get infected again by the other variant in rotation of the ransomware.

Technical Details:

Hackers are combining these variants to maximize ransoms. The campaign is designed to swap the payload.
 
Systems infected with Locky and FakeGlobe ransomware has a wide range of file types encrypted and there is no free decryption software to unlock the infections. Victims must either restore their files from backups or pay the ransom to recover their data. Researchers said this latest campaign uses highly sophisticated distribution methods and have impacted users in over 70 countries -- 7 percent of the victims were in the U.S. Trend Micro officials said researchers blocked as many as 298,000 spam emails and distribution peaked at 10 AM on Sept. 4.
 
Further, hackers are launching attacks to coincide with work hours, which is the most effective method for spam campaigns.
 
The spam emails that users are receiving have a link and an attachment; the attachment is a .7z (7-zip) rather than a .zip file. The emails are disguised as invoices or bills targeting the user. Clicking the link in the email downloads an archive that is similar to the attachment, but they connect to different URLs to download the ransomware. This spam campaign has a DOC file attachment with a malicious macro to trick the user into enabling macros, which are disabled by default.
 
FakeGlobe features a support page to help victims pay the ransom. The affiliate ID and ID assigned to the victim appear to determine how ransom payments are distributed.
 
Both Locky and FakeGlobe target computers running Microsoft Windows operating systems.

Mitigation strategies:

• Educate users to stop infection through lure emails.
• Educate users to avoid following links to untrusted sites. 
• Disable macro execution in Microsoft Office documents to prevent the download of second stage downloaders or malware payloads.
• Ensure good backup policies that will help protect businesses against file loss and prevent them from having to pay ransoms.

Recommended best practices:

• Disable default user accounts
• Always execute browsing software with the least privileges possible. 
• Turn on Data Execution Prevention (DEP) for systems that support it.
• Maintain a regular patch and update cycle for OS and installed software.
• Assess the environment to identify all assets and security issues (for enterprises).
• End users should back up business data to the organization’s shared folders. Data residing on user devices may be permanently lost in the event of a ransomware infection.
• Do NOT open Office document file attachments unless specifically requested from the sender. View the email header or send a separate email to validate the sender before opening attachments.  
• Review firewall rules and policies.
• Check if antivirus software is up-to-date on the system(s).
• For additional details please refer to this link: http://technet.microsoft.com/en-us/library/dd277328.aspx

REFERENCES:

For additional information related to this threat/vulnerability please refer to links below:
http://blog.trendmicro.com/trendlabs-security-intelligence/locky-ransomware-pushed-alongside-fakeglobe-upgraded-spam-campaigns/
http://www.zdnet.com/google-amp/article/double-trouble-this-ransomware-campaign-could-infect-your-pc-with-two-types-of-file-locking-malware/  
http://www.healthcareitnews.com/news/new-rotating-locky-ransomware-campaign-can-infect-networks-twice 
https://www.spamtitan.com/blog/locky-fakeglobe-ransomware-double-ransomware-campaign/ 
https://kc.mcafee.com/corporate/index?page=content&id=PD26383

For more information on the topic and our Cyber Security Solutions & Services, please contact us by mail security@birger.technology.