Saturday, July 4, 21:16
Home security Ransomware Hakbit: Targets companies in Germany, Austria and Switzerland

Ransomware Hakbit: Targets companies in Germany, Austria and Switzerland

Proofpoint researchers have identified a low-volume ransomware campaign via email targeting organizations / companies in Austria, Switzerland and Germany. The campaign uses Hakbit, a variant of Thanos ransomware as a service (RaaS). The attack uses malicious Microsoft Excel attachments delivered by a free email provider (GMX) that mainly serves a European customer base. Attachments contain false tax and refund issues to attract users to activate macros running GuLoader, which downloads ransomware to encrypt files and lock the system.


To ensure success because Microsoft Office VBA macros are not running on mobile devices, these emails direct recipients to open attachments to their computer rather than their mobile device.

Targeted users were employed in mid-level positions in the field of pharmaceuticals, law, financial, business, retail and healthcare services. The largest volume of messages we observed was sent to its branches information technology, construction, insurance and technology. Proofpoint researchers have noticed that most of the roles they aim at campaigns of Hakbit are confronted with the customer with the contact details of individuals who are publicly disclosed on company websites and / or advertisements. These roles include: Lawyers, customer consultants, managers, insurance consultants, CEOs and project managers.

Below is an example of the messages users receive, which often have the following topics: "Fwd: Steuerrückzahlung" (Translation: Tax Return) "and" Ihre Rechnung (Translation: Your Account) ".

Figure 1

This message is in German and misuses the logo and the name of 1 & 1, a German telecommunications company. According to Google Translate, the message states:


The message contains a Microsoft Excel attachment called 379710.xlsm which exploits malicious macros. Because macros and malware will not work on a mobile device, the message instructs the recipient to use one computer to read it attached. Once opened, the spreadsheet directs the recipient in German and English to activate the macros, as shown in Figure 2.

Figure 2

Once the macros are activated on the spreadsheet, download and run GuLoader, a relatively new download program. When GuLoader is running, it downloads and executes Hakbit, a ransomware that encrypts files using AES-256 encryption.

Below is the image that appears when Hakbit is running (Figure 3) and also see the ransom note in English and German (Figure 4).

Figure 3
Figure 4

The note requires € 250 in bitcoin to unlock encrypted files and provides instructions on how to pay. ransoms.


Proofpoint researchers have observed consistent low-volume ransomware campaigns and often since January 2020. His researchers Proofpoint recently spotted a change in the threat landscape with a major Avaddon ransomware campaign according to recent reports.

Of course, some other security companies say that ransomware is called Thanos, so keep a reservation about its name.


Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.


COVID-19: New research looks for antibodies in blood donors

The American Red Cross is examining the blood that has come from donations, and is looking for COVID-19 antibodies that will give it ...

Digital Transformation and Business: What Does Its Failure Mean?

Digital transformation is usually a way for businesses to outperform their competitors and get rid of methods that ...

Covaxin: India releases COVID-19 vaccine in August

The whole planet is waiting for the release of the vaccine for coronavirus, while clinical trials have begun in many countries around the world ....

iOS 13.5.1: iPhone users report battery issues

Have you noticed any changes to your iPhone lately? Maybe, for example, the battery runs out quickly ...

Avaddon ransomware: Attacks through Excel 4.0 macros

Microsoft announced yesterday that Avaddon ransomware spread this week through an old technique that came to the fore again. The...

Apple: Prohibits updating Chinese Apps without permission

Apple is banning developers from updating existing apps in China's App Store if they don't have government approval.

Australia: Thousands of MyGov accounts are sold on the Dark Web

Access to more than 3600 MyGov accounts is being sold on the dark web, potentially exposing thousands of Australians to fraud and identity theft.

Party Time: Watch TV with your friends online

Party Time: Watch TV with your friends on the internet Time for a different party than you are used to, watching your favorite ...

CISA and FBI warn businesses of Tor's risks

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning to businesses regarding ...

openSUSE: The new Leap 15.2 hard drive has been released

Recently, the next stable version of the openSUSE operating system was released. According to the development team of the operating system, ...