A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.
File Spider is currently being distributed through malspam that appears to be targeting countries such as Croatia, Bosnia and Herzegovina, and Serbia. The spam start with subjects like "Potrazivanje dugovanja", which translates to "Debt Collection" and whose message, according to Google Translate, appear to be in Serbian.
These emails will have an attached word document with malicious macros that pretends to be a debt collection notice, which according to Google Translate is written in Croatian.
If a user clicks on the Enable Editing, followed by the Enable Content buttons, the embedded macro will download the ransomware executables from a remote site and execute them.
The macro, shown above, contains a Base64 encoded PowerShell script that when executed will download XOR encrypted files called enc.exe and dec.exe from a remote site. The URLs that are used to download the files are currently:
When downloading the files, they will be decrypted and saved to the %AppData% \Spider folder.
The PowerShell script will then execute both enc.exe, which is the encrypter, and dec.exe, which is the decrypter and gui, with the following commands:
"%AppData%\Roaming\Spider\enc.exe" spider ktn 100 "%AppData%\Roaming\Spider\dec.exe" spider
File Spider will now begin to encrypt the victim's computer.
Once the macros in the malicious document execute, the ransomware will be downloaded and executed on the computer. This will cause two processes to be executed called enc.exe and dec.exe. Dec.exe is the decryptor and GUI for the ransomware and will quietly run in the background until enc.exe, which is the encryptor, is finished encrypting the computer.
While enc.exe is running, it will scan the local drivers of the computer and encrypt any files that match targeted extension with AES-128 bit encryption. The file extensions that are targeted by File Spider are listed at the end of this article. This AES key is then encrypted using a bundled RSA key and saved
When encrypting, it will skip files located in the following folders:
tmp Videos winnt Application Data Spider PrefLogs Program Files (x86) Program Files ProgramData Temp Recycle System Volume Information Boot Windows
When a file is encrypted, it will log the original file name to %UserProfile%\AppData\Roaming\Spider\files.txt and append the .spider extension to the encrypted file's name. For example, a file called test.jpg would be encrypted and then renamed to test.jpg.spider.
In each folder that a file is encrypted, the encryptor will also create a ransom note named HOW TO DECRYPT FILES.url, which when clicked on will open a video tutorial at the URL https://vid.me/embedded/CGyDc?autoplay=1&stats=1.
The encryptor will also create a file on the desktop called DECRYPTER.url, which launches the dec.exe file.
Finally, the enc.exe program will create a file called %UserProfile%\AppData\Roaming\Spider\5p1d3r and exit. When the dec.exe program detects that this file is created, it will display the decrypter GUI as shown below.
This GUI contains multiple tabs that allow you to switch the language between English and Croatian, display the TOR payment site located at http://spiderwjzbmsmu7y.onion, the victim's ID code that is needed to login to the TOR site, the decrypter, and a help file. The GUI also contains a contact email of email@example.com.
When a user goes to the TOR site, they will be prompted to login using the victim ID found in the decryptor GUI. Once logged in, they will be presented with a page that provides instructions on how to pay the ransom, which is currently .00726 bitcoins, or around $123.25, to get the files back.
The ransomware is currently being analyzed, but as the AES key is encrypted with a bundled RSA key, it is unlikely that the files can be decrypted for free.
I would also like to thank @GrujaRS, @malwrhunterteam, and @B_H101 for directing me to information on how this ransomware is currently being spread. For further reading, @sdkhere has performed an analysis of this ransomware as well.
In order to protect yourself from ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics.
Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:
As this particular variant targets open Remote Desktop services it is important that you do not connect a remote desktop server directly to the Internet. Instead you should require a user to VPN into your network first to be able to connect to the remote desktop server.
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
dec.exe: 74e5096f09a031800216640a8455bc487e9a32b2e56fbad9d083c3810ed5488e enc.exe: 6500a1baa13e0698e3ed41b4465e5824e9a316b22209223754f0ab04a6e1b853
%UserProfile%\AppData\Roaming\Spider\ %UserProfile%\AppData\Roaming\Spider\5p1d3r %UserProfile%\AppData\Roaming\Spider\dec.exe %UserProfile%\AppData\Roaming\Spider\enc.exe %UserProfile%\AppData\Roaming\Spider\files.txt %UserProfile%\AppData\Roaming\Spider\id.txt %UserProfile%\AppData\Roaming\Spider\run.bat %UserProfile%\Desktop\DECRYPTER.url
As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool. The good news is that there is still a chance to recover your files, you just need to have the right key. To obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key! Remember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC. To avoid any misunderstanding, please read Help section.
lnk, url, contact, 1cd, dbf, dt, cf, cfu, mxl, epf, kdbx, erf, vrp, grs, geo, st, conf, pff, mft, efd, 3dm, 3ds, rib, ma, sldasm, sldprt, max, blend, lwo, lws, m3d, mb, obj, x, x3d, movie, byu, c4d, fbx, dgn, dwg, 4db, 4dl, 4mp, abs, accdb, accdc, accde, accdr, accdt, accdw, accft, adn, a3d, adp, aft, ahd, alf, ask, awdb, azz, bdb, bib, bnd, bok, btr, bak, backup, cdb, ckp, clkw, cma, crd, daconnections, dacpac, dad, dadiagrams, daf, daschema, db, db-shm, db-wal, db2, db3, dbc, dbk, dbs, dbt, dbv, dbx, dcb, dct, dcx, ddl, df1, dmo, dnc, dp1, dqy, dsk, dsn, dta, dtsx, dxl, eco, ecx, edb, emd, eql, fcd, fdb, fic, fid, fil, fm5, fmp, fmp12, fmpsl, fol, fp3, fp4, fp5, fp7, fpt, fzb, fzv, gdb, gwi, hdb, his, ib, idc, ihx, itdb, itw, jtx, kdb, lgc, maq, mdb, mdbhtml, mdf, mdn, mdt, mrg, mud, mwb, s3m, myd, ndf, ns2, ns3, ns4, nsf, nv2, nyf, oce, odb, oqy, ora, orx, owc, owg, oyx, p96, p97, pan, pdb, pdm, phm, pnz, pth, pwa, qpx, qry, qvd, rctd, rdb, rpd, rsd, sbf, sdb, sdf, spq, sqb, stp, sql, sqlite, sqlite3, sqlitedb, str, tcx, tdt, te, teacher, tmd, trm, udb, usr, v12, vdb, vpd, wdb, wmdb, xdb, xld, xlgc, zdb, zdc, cdr, cdr3, ppt, pptx, 1st, abw, act, aim, ans, apt, asc, ascii, ase, aty, awp, awt, aww, bad, bbs, bdp, bdr, bean, bna, boc, btd, bzabw, chart, chord, cnm, crwl, cyi, dca, dgs, diz, dne, doc, docm, docx, docxml, docz, dot, dotm, dotx, dsv, dvi, dx, eio, eit, email, emlx, epp, err, etf, etx, euc, fadein, faq, fb2, fbl, fcf, fdf, fdr, fds, fdt, fdx, fdxt, fes, fft, flr, fodt, fountain, gtp, frt, fwdn, fxc, gdoc, gio, gpn, gsd, gthr, gv, hbk, hht, hs, htc, hwp, hz, idx, iil, ipf, jarvis, jis, joe, jp1, jrtf, kes, klg, knt, kon, kwd, latex, lbt, lis, lit, lnt, lp2, lrc, lst, ltr, ltx, lue, luf, lwp, lxfml, lyt, lyx, man, map, mbox, md5txt, me, mell, min, mnt, msg, mwp, nfo, njx, notes, now, nwctxt, nzb, ocr, odm, odo, odt, ofl, oft, openbsd, ort, ott, p7s, pages, pfs, pfx, pjt, plantuml, prt, psw, pu, pvj, pvm, pwi, pwr, qdl, rad, readme, rft, ris, rng, rpt, rst, rt, rtd, rtf, rtx, run, rzk, rzn, saf, safetext, sam, scc, scm, scriv, scrivx, sct, scw, sdm, sdoc, sdw, sgm, sig, skcard, sla, slagz, sls, smf, sms, ssa, strings, stw, sty, sub, sxg, sxw, tab, tdf, tex, text, thp, tlb, tm, tmv, tmx, tpc, trelby, tvj, txt, u3d, u3i, unauth, unx, uof, uot, upd, utf8, unity, utxt, vct, vnt, vw, wbk, wcf, webdoc, wgz, wn, wp, wp4, wp5, wp6, wp7, wpa, wpd, wpl, wps, wpt, wpw, wri, wsc, wsd, wsh, wtx, xbdoc, xbplate, xdl, xlf, xps, xwp, xy3, xyp, xyw, ybk, yml, zabw, zw, 2bp, 036, 3fr, 0411, 73i, 8xi, 9png, abm, afx, agif, agp, aic, albm, apd, apm, apng, aps, apx, art, artwork, arw, asw, avatar, bay, blkrt, bm2, bmp, bmx, bmz, brk, brn, brt, bss, bti, c4, cal, cals, can, cd5, cdc, cdg, cimg, cin, cit, colz, cpc, cpd, cpg, cps, cpx, cr2, ct, dc2, dcr, dds, dgt, dib, dicom, djv, djvu, dm3, dmi, vue, dpx, wire, drz, dt2, dtw, dvl, ecw, eip, exr, fal, fax, fpos, fpx, g3, gcdp, gfb, gfie, ggr, gif, gih, gim, gmbck, gmspr, spr, scad, gpd, gro, grob, hdp, hdr, hpi, i3d, icn, icon, icpr, iiq, info, int, ipx, itc2, iwi, j, j2c, j2k, jas, jb2, jbig, jbig2, jbmp, jbr, jfif, jia, jng, jp2, jpe, jpeg, jpg, jpg2, jps, jpx, jtf, jwl, jxr, kdc, kdi, kdk, kic, kpg, lbm, ljp, mac, mbm, mef, mnr, mos, mpf, mpo, mrxs, myl, ncr, nct, nlm, nrw, oc3, oc4, oc5, oci, omf, oplc, af2, af3, ai, asy, cdmm, cdmt, cdmtz, cdmz, cdt, cgm, cmx, cnv, csy, cv5, cvg, cvi, cvs, cvx, cwt, cxf, dcs, ded, design, dhs, dpp, drw, dxb, dxf, egc, emf, ep, eps, epsf, fh10, fh11, fh3, fh4, fh5, fh6, fh7, fh8, fif, fig, fmv, ft10, ft11, ft7, ft8, ft9, ftn, fxg, gdraw, gem, glox, hpg, hpgl, hpl, idea, igt, igx, imd, vbox, vdi, ink, lmk, mgcb, mgmf, mgmt, mt9, mgmx, mgtx, mmat, mat, otg, ovp, ovr, pcs, pfd, pfv, pl, plt, pm, vrml, pmg, pobj, ps, psid, rdl, scv, sk1, sk2, slddrt, snagitstamps, snagstyles, ssk, stn, svf, svg, svgz, sxd, tlc, tne, ufr, vbr, vec, vml, vsd, vsdm, vsdx, vstm, stm, vstx, wmf, wpg, vsm, vault, xar, xmind, xmmap, yal, orf, ota, oti, ozb, ozj, ozt, pal, pano, pap, pbm, pc1, pc2, pc3, pcd, pcx, pdd, pdn, pe4, pef, pfi, pgf, pgm, pi1, pi2, pi3, pic, pict, pix, pjpeg, pjpg, png, pni, pnm, pntg, pop, pp4, pp5, ppm, prw, psd, psdx, pse, psp, pspbrush, ptg, ptx, pvr, px, pxr, pz3, pza, pzp, pzs, z3d, qmg, ras, rcu, rgb, rgf, ric, riff, rix, rle, rli, rpf, rri, rs, rsb, rsr, rw2, rwl, s2mv, sai, sci, sep, sfc, sfera, sfw, skm, sld, sob, spa, spe, sph, spj, spp, sr2, srw, ste, sumo, sva, save, ssfn, t2b, tb0, tbn, tfc, tg4, thm, thumb, tif, tiff, tjp, tm2, tn, tpi, ufo, uga, usertile-ms, vda, vff, vpe, vst, wb1, wbc, wbd, wbm, wbmp, wbz, wdp, webp, wpb, wpe, wvl, x3f, y, ysp, zif, cdr4, cdr6, cdrw, pdf, pbd, pbl, ddoc, css, pptm, raw, cpt, tga, xpm, ani, flc, fb3, fli, mng, smil, mobi, swf, html, xls, xlsx, csv, xlsm, ods, xhtm, 7z, m2, rb, rar, wmo, mcmeta, m4a, itm, vfs0, indd, sb, mpqge, fos, p7c, wmv, mcgame, db0, p7b, vdf, DayZProfile, p12, d3dbsp, ztmp, rofl, sc2save, sis, hkx, pem, dbfv, sie, sid, bar, crt, sum, ncf, upk, cer, wb2, ibank, menu, das, der, t13, layout, t12, dmp, litemod, dxg, qdf, blob, asset, xf, esm, forge, tax, 001, r3d, pst, pkpass, vtf, bsa, bc6, dazip, apk, bc7, fpk, re4, bkp, mlx, sav, raf, qic, kf, lbf, bkf, iwd, slm, xlk, sidn, vpk, bik, mrwref, xlsb, sidd, tor, epk, mddata, psk, rgss3a, itl, rim, pak, w3x, big, icxs, fsh, unity3d, hvpl, ntl, wotreplay, crw, hplg, arch00, xxx, hkdb, lvl, desc, mdbackup, snx, py, srf, odc, syncdb, cfr, m3u, gho, ff, odp, cas, vpp_pc, js, dng, lrf, c, cpp, cs, h, bat, ps1, php, asp, java, jar, class, aaf, aep, aepx, plb, prel, prproj, aet, ppj, indl, indt, indb, inx, idml, pmd, xqx, fla, as3, as, docb, xlt, xlm, xltx, xltm, xla, xlam, xll, xlw, pot, pps, potx, potm, ppam, ppsx, ppsm, sldx, sldm, aif, iff, m4u, mid, mpa, ra, 3gp, 3g2, asf, asx, vob, m3u8, mkv, dat, efx, vcf, xml, ses, zip, 7zip, mp4, 3gp, webm, wmv