New Wave of Ransomware Spam Targets Russian Users

computer antivirus software

Security experts have identified a new wave of ransomware emails targeted at Russian users that gain access by using malicious email attachments.

The internet has become a hostile place where emails with attachments can no longer be taken at face value. The latest update from ESET researchers has uncovered a new influx of ransomware emails targeted at Russian users.

While a majority of spam attachments have moved towards HTML5 and other newer languages, JavaScript attachments still appear to be a popular way for hackers to deliver malicious codes to victims’ computers.

The research team found evidence of a large-scale, widespread attack that seems to have been targeting Russian users.

The New Year Campaign

Prior to this “New Year campaign,” the Russian-language spam was being distributed consistently from October 2018 to Christmas, albeit to a lesser degree than its January revival. Incidences of the ransomware then doubled in January.

The ransomware has been dubbed as Troldesh or Shade, identified as Win32/Filecoder.Shade by ESET researchers in their report.

Ransomware typically hijacks folders or files that it deems important, based on certain keywords, after which the hacker sends a message demanding a ransom. If not paid, access cannot be regained to the file and storage may be further corrupted.

Russia Was Not the Only Target

Based on the charts acquired by ESET, it was evident that the ransomware was targeting Russia as nearly 56 percent of the JavaScript email attachments were distributed in the country.

Ukraine, France, Germany and Japan, in descending order, also received malicious JavaScript attachments, though on a much smaller scale than Russia.

The Ransomware Message

Eset website on the display of PC

ESET confirmed that the JavaScript file downloads a malicious loader, identified as Win32/injector.

The email poses as a message from a legitimate Russian company such as B&N Bank, a Russia-based financial institution, or Magnit, a retail chain. Translated from Russian, the email’s contents discuss an order and enclosed document with an attached .zip file named either “info.zip” or “inf.zip.”

ESET confirmed that the JavaScript file downloads a malicious loader, identified as Win32/injector. This loader can be downloaded from one of many websites, including legitimate websites hosted on WordPress, which have been compromised by brute-force attacks, a common password-cracking technique.

The loader, designed to look like an image file, then completes the delivery of the ransomware. The loader uses a digital signature which is invalid and not verified, though claimed to be approved by a company named Comodo.

The Shade ransomware comes with a message in both Russian and English, demanding users to send an email to [email protected] in order to decrypt their corrupted files. The message informs users that attempts to decrypt the files themselves will result in further damage and loss of their data. It gives instructions to download the Tor Browser in order to give feedback in the event that their email is not responded to within 48 hours.

However, cooperating and paying the ransom provides no guarantee that users’ files will be restored. Furthermore, ransoms are often demanded in cryptocurrency to ensure further anonymity. As usual in these situations, the best treatment is prevention. Safeguard yourself by always using authorized email services, be cautious of opening links or attachments from unrecognized sources and make sure your important files are backed up.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.