The internet has become a hostile place where emails with attachments can no longer be taken at face value. The latest update from ESET researchers has uncovered a new influx of ransomware emails targeted at Russian users.
The research team found evidence of a large-scale, widespread attack that seems to have been targeting Russian users.
The New Year Campaign
Prior to this “New Year campaign,” the Russian-language spam was being distributed consistently from October 2018 to Christmas, albeit to a lesser degree than its January revival. Incidences of the ransomware then doubled in January.
The ransomware has been dubbed as Troldesh or Shade, identified as Win32/Filecoder.Shade by ESET researchers in their report.
Ransomware typically hijacks folders or files that it deems important, based on certain keywords, after which the hacker sends a message demanding a ransom. If not paid, access cannot be regained to the file and storage may be further corrupted.
Russia Was Not the Only Target
The Ransomware Message
The email poses as a message from a legitimate Russian company such as B&N Bank, a Russia-based financial institution, or Magnit, a retail chain. Translated from Russian, the email’s contents discuss an order and enclosed document with an attached .zip file named either “info.zip” or “inf.zip.”
The loader, designed to look like an image file, then completes the delivery of the ransomware. The loader uses a digital signature which is invalid and not verified, though claimed to be approved by a company named Comodo.
The Shade ransomware comes with a message in both Russian and English, demanding users to send an email to [email protected] in order to decrypt their corrupted files. The message informs users that attempts to decrypt the files themselves will result in further damage and loss of their data. It gives instructions to download the Tor Browser in order to give feedback in the event that their email is not responded to within 48 hours.
However, cooperating and paying the ransom provides no guarantee that users’ files will be restored. Furthermore, ransoms are often demanded in cryptocurrency to ensure further anonymity. As usual in these situations, the best treatment is prevention. Safeguard yourself by always using authorized email services, be cautious of opening links or attachments from unrecognized sources and make sure your important files are backed up.