Over the last two weeks, the Kelihos spam botnet has been busy spreading the latest version of the Shade ransomware (also known as Troldesh), which now appends the ".no_more_ransom" extension at the end of each encrypted file.
Their gesture is a sign of irony, as the NoMoreRansom project has released a free decrypter over the summer that can help victims unlock files encrypted by this threat.
This most recent campaign used the Kelihos botnet to send the spam messages that spread this threat. For this particular campaign, according to Arsh Arora, a malware analyst and Ph.D. researcher at the University of Alabama at Birmingham, crooks used emails that contained a malicious downlaod link.
Researchers noted that this was the first time they've seen Shade use JS files to infect victims. Most of this spam disguised as credit and banking-related emails.
The ransomware used a Gmail address for getting in contact with the crooks, but also a website on the Dark Web for handling ransom payments. At the time of writing, the website was down.
In some infections, Arora says that Shade also installed the Pony malware, an infostealer that can find, extract, and exfiltrate data such as browser passwords, system details, and browsing history.
This is not the first time when Shade downloaded an additional malware. In August, the ransomware was downloading the Teamspy remote access trojan (RAT).
Crooks used the RAT to detect if they infected a valuable target and stole valuable data from the local PC or the company's network.
Besides the Shade ransomware spam, Arora says the Kelihos botnet was also seen delivering dating spam to Polish users and money mule spam to US users. The money mule spam was a cleverly designed message that tried to trick US users into relaying mysterious packages sent from China, most likely part of a criminal operation.
The Kelihos botnet, also known as Waledac, has become one of the primary sources for ransomware spam in the last few months.
The botnet was most recently used to deliver ransomware families such as Wildfire, Hades Locker, CryptFIle2 (or CryptMix) and MarsJoke (or JokeFromMars). The botnet also spammed banking trojans such as Panda Zeus, Nymain and Kronos.
Kelihos became a threat to be reckoned with in August when it tripled its size in just 24 hours.