Researchers at Trend Micro have recently discovered a large spam campaign in which cyber criminals use two types of ransomware alternately to force victims to pay twice or lose all their data permanently. The ransomware rotated during the campaign include an updated versions of Locky along with FakeGlobe.
The researchers found that the attack is carried out by sending emails with an embedded link and attachment disguised as bills or invoices to people during their work hours. The invoices contain a script similar to the one inside archive downloaded from the link. However, the link comprises different binaries and have connectivity to different URLs for downloads, leading to the download of Locky and FakeGlobe ransomware. The two ransomware would then re-encrypt the victims’ files, forcing them to pay twice or lose their data. The campaign affected more than 70 countries, with Japan, China, and the United States being the major victims.
Speaking about the attack, Chief Cybersecurity Officer at Trend Micro Ed Cabrera said in statement to Dark Reading, “When it comes to these types of attacks – ransomware attacks – it’s all about speed and impact; something that can shock and awe. They want to be able to attack as many individuals and organizations as they possibly can, and do it fairly quickly while having the biggest impact.”
Cabrera also said that the recent attack was launched with an intention of achieving financial gains. He said, “The intended outcome is to really scare their victims into believing there’s no other option than paying. The shock value is to improve their financial gain, to improve the odds of them being paid … if they overwhelm their intended victims, they believe they have a better chance.”
Detected in 2016, Locky spreads by showing links to fake dropbox websites. In a recent study by researchers at Google, Chainalysis, UC San Diego, and the NYU Tandom School of Engineering, the ransomware has so far accounted for $7 million from the time it was detected. On the other hand, Fakeglobe, detected in 2017, is distributed through spam emails posing as legitimate invoices or automated responses.