Proofpoint researchers have identified a low-volume ransomware campaign via email targeting organizations / companies in Austria, Switzerland and Germany. The campaign uses Hakbit, a variant of Thanos ransomware as a service (RaaS). The attack uses malicious Microsoft Excel attachments delivered by a free email provider (GMX) that mainly serves a European customer base. Attachments contain false tax and refund issues to attract users to activate macros running GuLoader, which downloads ransomware to encrypt files and lock the system.
To ensure success because Microsoft Office VBA macros are not running on mobile devices, these emails direct recipients to open attachments to their computer rather than their mobile device.
Targeted users were employed in mid-level positions in the field of pharmaceuticals, law, financial, business, retail and healthcare services. The largest volume of messages we observed was sent to its branches information technology, construction, insurance and technology. Proofpoint researchers have noticed that most of the roles they aim at campaigns of Hakbit are confronted with the customer with the contact details of individuals who are publicly disclosed on company websites and / or advertisements. These roles include: Lawyers, customer consultants, managers, insurance consultants, CEOs and project managers.
Below is an example of the messages users receive, which often have the following topics: "Fwd: Steuerrückzahlung" (Translation: Tax Return) "and" Ihre Rechnung (Translation: Your Account) ".
This message is in German and misuses the logo and the name of 1 & 1, a German telecommunications company. According to Google Translate, the message states:
The message contains a Microsoft Excel attachment called 379710.xlsm which exploits malicious macros. Because macros and malware will not work on a mobile device, the message instructs the recipient to use one computer to read it attached. Once opened, the spreadsheet directs the recipient in German and English to activate the macros, as shown in Figure 2.
Once the macros are activated on the spreadsheet, download and run GuLoader, a relatively new download program. When GuLoader is running, it downloads and executes Hakbit, a ransomware that encrypts files using AES-256 encryption.
Below is the image that appears when Hakbit is running (Figure 3) and also see the ransom note in English and German (Figure 4).
The note requires € 250 in bitcoin to unlock encrypted files and provides instructions on how to pay. ransoms.
Proofpoint researchers have observed consistent low-volume ransomware campaigns and often since January 2020. His researchers Proofpoint recently spotted a change in the threat landscape with a major Avaddon ransomware campaign according to recent reports.
Of course, some other security companies say that ransomware is called Thanos, so keep a reservation about its name.