A Lannister always pays his debts. And you, too, may have to pay up if you become infected with Locky ransomware, delivered in an email distribution campaign that uses Game of Thrones references in its scripting variables.
In a company blog post on Friday, PhishMe intelligence analyst Victor Cornell describes recently discovered Locky threat campaign, noting that the Visual Basic script delivered by the phishing email operation pays homage to the hit HBO fantasy drama, based on George R. R. Martin’s series of novels A Song of Ice and Fire.
“Lightweight script applications designed to deliver malware often use rotating or pseudorandom variable names to ensure that the malware delivery tools look unique. In this case, many of the variables (some misspelled) referred to characters and events from GoT,” Cornell writes.
References spotted among the variables include “Throne,” “Jon Snow,” “SansaStark,” “Aria,” “RobertBaration” (a misspelling of Robert Baratheon), and “HoldtheDoor.”
“Phishing attacks are distinctive on the global threat landscape as an attack methodology that seeks to exploit the proclivities and behaviors of the people within an organization. It is only fitting that phishing threat actors would reveal their own tendencies and preferences as humans too,” Cornell continues. “Humanizing the attacker serves as an important portion of assessing… the risk and intent of that attacker during the response process.”
No word yet if victims have to pay the ransom in Gold Dragon Coins instead of bitcoin.