Application security, Malware, Ransomware

Doubling Down: Locky and FakeGlobe ransomware pushed in dual spam campaigns

Cybercriminals kicked off a spam campaign earlier this month capable of delivering either Locky or FakeGlobe ransomware creating a situation where a single person could be victimized twice in the same attack.

The cyberattack featured a rarely used trick that has the malicious actors rotating which ransomware is delivered with the initial spam email, Trend Micro reported. The danger here is a victim could end up being hit with both varieties by making a single mistake.

"The campaign is designed in such a way that a victim clicking on a malicious link from the spam email might deliver Locky one hour, and then FakeGlobe the next. This increases the likelihood of secondary infections due to the rotation," Ed Cabrera, Trend Micro's chief cybersecurity officer for Trend Micro, told SC Media.

This could result in the victims having to pay twice or worse, lose their data permanently,Trend Micro researchers Julie Cabuhat, Michael Casayuran and Anthony Melgarejo wrote.

The attacks kicked off on September 4 and hit 70 countries, but Japan, the United States and China were the primary victims garnering almost half the spam emails.

“The cybercriminals behind the campaign designed it so that clicking on a link from the spam email might deliver Locky one hour, and then FakeGlobe the next. This makes re-infection a distinct possibility, as victims infected with one ransomware are still vulnerable to the next one in the rotation,” the researchers wrote.

In all cases the spam came with an embedded link and an attached document both posing as a payment invoice. The link and malicious document each led to a different URL for their download. The scripts associated with the URL or document download two different binaries one of which downloads the .lukitius Locky variant the second to FakeGlobe. FakeGlobe, also known as Globe Imposter, first appeared in June 2017 and also used fake invoices as its social engineering component.

Trend Micro tracked the attacks and found most came from India, Iran and Vietnam, but few other details about the culprits can be determined.

"Hard to tell at this point the strategy and ultimate capability of the actors involved, however we do know they are evolving their tactics daily and RaaS providers are equally growing in numbers. One can speculate that by delivering multiple ransomware families during a single campaign could increase the impact of an attack and affect incident response. Thereby increasing their chances of a payoff," Cabrera said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.