Operators of the Cyclops ransomware-as-a-service are behind a new spam campaign that poses as Tripadvisor complaint emails but spreads an updated version of the ransomware, now known as Knight, BleepingComputer reports.
A Sophos researcher first shared the discovery of the ransomware campaign, which involved an email containing ZIP file attachments titled "TripAdvisorComplaint.zip," itself containing an application titled "TripAdvisor Complaint - Possible Suspension.exe."
A newer version of the campaign contains a similarly-named HTML attachment that launches a Browser-in-the-Browser phishing technique when executed and displays a fake TripAdvisor web page with a request for the user to review an alleged complaint. Clicking the button to read the complaint downloads an Excel XLL file with a .NET add-in that executes the malware.
It's possible for a Mark of the Web flag placed on the downloaded files to nullify the attack or for a prompt to appear enabling the user to keep the add-in disabled. If the add-in is enabled, the Knight Lite ransomware encryptor gets injected into a newly created explorer.exe process, encrypts the device's files, and inserts a ransom note.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news