Barkly vs Malware
Barkly Research
Dec 2017

File Spider Ransomware Gives 96 Hours to Pay

file-spider-ransomware-attack.png

A new ransomware variant called File Spider is giving infected victims 96 hours to recover their encrypted files. Find out how it works and see Barkly block it.

According to researchers @malwarehunterteam and @LawrenceAbrams, File Spider is currently being distributed through malspam and is spreading in countries such as Bosnia and Herzegovina, Croatia and Serbia. The spam email begins with the subject in Croatian titled as “Potraživanje Dugovanja”, which translated to “Debt Collection” in Google Translate.

How File Spider is being delivered

Attackers are sending out spam emails that contain a Word document (BAYER_CROPSCIENCE_OFFICE_BEOGRAD_93876.doc) embedded with malicious macros.

FIle-Spider-Word-doc.png

Malicious Word document used to spread File Spider

In the event that an user clicks on the “Enable Editing” button after opening the file, the macro will run and try to download the malicious executables with the help of PowerShell.

The macro contains a Powershell script that is Base64 encoded. When executed, it will download two XOR encrypted .exe files called ‘enc.exe’ and ‘dec.exe’.

File-Spider-ransomware-macro.png

Embedded macro

These files are decrypted, downloaded, and saved on the computer at the location ‘%AppData%\Spider’.

The encryption process

Once the macro is executed and the files have been downloaded, the script runs the two malicious executables. Enc.exe is the encryptor responsible for scanning the local drivers of the machine and encrypting targeted file types with AES-128 bit encryption. The encrypted files are then renamed with the .spider extension.

Additionally, the malware drops a file named HOW TO DECRYPT FILES.url in any folder containing encrypted files. When opened, the .url file redirects to hxxps://vid.me/embedded/CGyDc?autoplay=1&stats=1, which displays a video tutorial of how to decrypt the files.

Finally, enc.exe creates a file named ‘%UserProfile%\AppData\Roaming\Spider\5p1d3r’ and then deletes itself, thereby triggering the second file — ‘dec.exe’ — to run.

Ransom note GUI

On execution, dec.exe creates a Windows Registry entry that triggers it to be launched on startup. Following that, it displays the ransom payment instruction page with the help of a GUI.

Spider.gif

File Spider in action

Victims are given a 96-hour deadline to pay. After that, the ransom note explains the decryption key will be “blocked” and all the victim’s files will be permanently encrypted.

Interestingly, the GUI appears to be designed to make the payment and decryption process seem less intimidating to victims. It provides instructions that walk victims through the entire payment process, from how to use the Tor Browser to how to obtain a Bitcoins, and it consists of multiple tabs that allow the victim to toggle between English and Croatian, display their ID, and visit the TOR payment site. There’s even a “Help” tab that includes a link to a video tutorial.

Unfortunately, there is currently no way of decrypting files encrypted by File Spider without paying the ransom.

For more in-depth details about how File Spider works, there is technical analysis of this sample by @sdkhere available.

Blocking File Spider before it executes

FileSpider-video.gif

Barkly blocks a File Spider attack even if a user enables macros

Delivering ransomware via spam emails and fake invoices is a well-established (yet still very effective) tactic. Attackers know there will always be a portion of users who will fall for this trick, and they know it takes time for security vendors to update their protection to cover new variants.

Barkly, on the other hand, blocks new ransomware like File Spider automatically, without any updates necessary. Not only does it prevent the ransomware payload from executing, it prevents the macro embedded in the Word document from executing, thereby stopping the attack before the payloads can even touch the machine. As a result, no information is encrypted and no damage is incurred.

File-Spider-ransomware-attack-diagram-animated.gif

Barkly provides defense in depth against the File Spider attack by blocking it at multiple stages

Learn more about how Barkly's protection works and how it can protect your company. See a demo of Barkly in action.

Hashes:

  • Word-doc: 1753cfa7bec8b6044b07823deee14d9ca366c54b42c1c9d4ff045dac2fc112d9
  • enc.exe: 6500a1baa13e0698e3ed41b4465e5824e9a316b22209223754f0ab04a6e1b853
  • dec.exe: 74e5096f09a031800216640a8455bc487e9a32b2e56fbad9d083c3810ed5488e
Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.

blocks-attack-grey-circle.svg

Close the gaps in your security

See how Barkly blocks attacks other solutions miss.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.