The musical ransomware, FTCode, plays German rock music whilst encrypting victims’ files.
Researchers at AppRiver discovered FTCode within malicious email campaigns targeting Italian Officer 365 customers.
Victims receive emails containing malicious content posing as invoices, documents scans and resumes. A Visual Basic script (.vbs) files is also included with the email, which when downloaded plays the German rock band, Rammstein, whilst encrypting the victims’ files.
In a blog post, David Pickett, security analyst at AppRiver said: “The .vbs file initially launches PowerShell to download and play a mp3 file from archive.org. At first glance, we suspected it was just a renamed file extension for malware, a common practice to help evade some network gateways. However, we were amused to find it launches a Rammstein song mix.”
Whilst the mix is being played, the script reaches out to a different domain to pull down another .vbs file – the Jasper malware loader, which allows threat actors to load any additionally malware of their choosing.
Once the files are encrypted, a ransom note is left displaying on the desktop instructing the victim to download, install and visit an onion site for further information.
The onion site offers the victim a chance to test file decryption with one file before paying the ransom in an attempt to establish trust with the user.
If the victim chooses to pay the ransom within the first three days the ransom is set at $500, however if not the ransom significantly increases to $25,000.
Pickett has advised users to remain vigilant and not click or open any unsolicited links or documents that have unfamiliar file types with script files such as (.vbs, .js, .p1, .bat, etc.).
“Any Office file that, once opened, urges the user to Enable Content or Enable Editing should be treated with the utmost caution and verified from the sender out of band before doing so. If the file is malicious, enabling content or editing disables Microsoft’s protected view and can allow a malicious payload contained within to execute.
“If no backups are available to restore files from, impacted users may also verify the type of ransomware at ID Ransomware to see if a publicly available decryptor for their particular ransomware attack exists. If not, they can also sign up for notifications to receive an alert if one becomes available in the future.”
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/