File Spider Ransomware Hits the Balkans with Malspam and Gives 96-Hour Deadline

Security experts have recently detected another strain of ransomware targeted at the Balkans, including Bosnia and Herzogovina, Serbia, and Croatia. The ransomware is dubbed File Spider and has been known to researchers since December 10th, 2017, when the ongoing campaigned was identified. The File Spider ransomware, also known as Spider, is spread through obfuscated emails whose subject lines read "Potrazivanje dugovanja". A Google translation suggests that the topic of the shamelessly deceptive email is "Debt Collection", and the message itself seems to be written in Serbian.

The people behind the Spider ransomware employs Office documents as email attachments to deceive people into inadvertently starting the installation of malware. Three pieces of malware associated with the Spider campaign have been identified as VB:Trojan.VBA.Agent.QP, Trojan.GenericKD.12668779, and Trojan.GenericKD.6290916, the last two of which are downloaded payloads.

The Office document is written in the Bosnian language, which again suggest that the attackers seek to affect the Balkans region and probably the Bosnia and Herzogovina region in particular. The document has macro code whose function, when enabled, is to launch the PowerShell which in return downloads the payload from yourjavascript.com. The payload is an encode Base64 string which is immediately decoded by the PowerShell. Additionally, the PowerShell uses the key AlertTI to perform XOR operation, which leads to the decoding of the final payload. The two files enc.exe and dec.exe are created and copied to the %APPDATA%/Spiderdirectory.

The executable files enc.exe and dec.exe are the encryptor and decryptor respectively, and the latter one also displays the graphic user interface to swindle victims out of their money. Two .txt files, files.txt and id.txt, are created in the same %APPDATA%/Spider directory.

An analysis of the coding of the ransomware has shown that the Spider ransomware, or rather the dec.exe, monitors the system processes and blocks several built-in Windows tools, such as Task Manager, Registry Editor, and CMD, and some other utilities to stop a victim from making changes in the system processes.

Upon file encryption, the Spider ransomware addends the .spider extension to the files. For example, the file dex-tools.-0.0.0.6.jar is modified into dex-tools.-0.0.0.6.jar.spider. The encrypted files are recorded in the files.txt file in a format of a list. In total, over 1000 file formats are included onto the ransomware's target list.

It has also been found that the File Spider ransomware encrypts files in specific locations. For example, the directories such as tmp, Program Files (x86), Program Files, Recycle, Boot, Windows, and some others are skipped. The targeted files are encrypted using the AES-128 encryption algorithm, which is later encrypted using a bundled RSA key.

The ransom message of the Spider threat is displayed in a program window which also features a menu bar that includes a Translate bar. Here a victim can choose between the English and Croatian languages. According to the ransom warning, a victim has to pay a ransom in 96 hours. If the payment is not received within four days, the files are said to be deleted permanently. To make a payment, a victim is requested to downloaded the Tor browser which is necessary to access a website the link of which is given in the ransom warning. A victim is also informed that decryption takes places when a unique decryption code is created. After installing the Tor browser, a victim is supposed to log in to a website where the release fee of 0.00726 BTC is expected to be paid. Security experts strongly advise against paying up in order to prevent financial loses. Instead of paying the ransom, it is vital to remove the infection and make sure that such an incident does not take place in the future.

Research on the Spider ransomware has revealed that the attackers attempted to assist their victims in the payment process by creating a video tutorial. In each affected directory, the Spider ransomware creates a .url file named HOW TO DECRYPT FILES where a victim can find the link to the video instructing how to submit the payment. The video is reportedly available until December 15th, 2017 on the vid.me website.

One of the tabs also contains the email address file-spider@protonmail.ch in case a victim needs more information about the present situation.

Malicious emails, also called malspam, are very often used to spread malware. It is highly important to ignore questionable emails because they may be part of some malware attack campaign. When dealing with a document that includes macros, it is worth disabling this function as it is very often used to spread computer threats. On top of that, it is also advisable to back up valuable data and keep the system shielded against malware.

Abrams, Lawrence. File Spider Ransomware Targeting the Balkans with Malspam. December 11, 2017
Malik, Amit. Spider: A New Thread in the Ransomware Web. December 11, 2017
SDKHERE. Analysis of File-Spider Ransomware December 11, 2017