A Newly discovered Spider Ransomware widely spreading around the world which delivery through decoy Office documents that usually spreading via the malspam campaign.
This Spider Ransomware using Email is a medium to spreading across to the victims machine and an email attachment contains bogus office document which actually comes with VB Script agent.
In this case, Spider Ransomware spreading via the Bosnian language which indicates that initial level of threat actor infection started from Bosnia and Herzegovina regions.
This was detected as “VB:Trojan.VBA.Agent.QP” and it will later download a payload Trojan.GenericKD.12668779” and “Trojan.GenericKD.6290916”.
How Does this Spider Ransomware Works
Initially, Victims will be received an email that contains attacked document of malicious VB Script agent which claimed as bills or invoice related legitimate document.
Malicious decoy Office document contains an obfuscated macro code and it’s using Powershell code to download an original Spider Ransomware paylaod.
To performing a decode operator, it uses XOR operation with the key ‘AlberTI’ to decode the final level of payload.
Once it is decoded then it saved as a .exe file and copied into APPDATA% /Spider’ directory with the name of ‘dec.exe’ and ‘enc.exe’.
These 2 files are using performing different operations, enc.exe performs as a Spider Ransomeware decrypter and dec.exe performing to displays the user interface for warning message and to decrypt the files using a decryption key.
“Also Spider ransomware also copies two text files ‘files.txt’ and ‘id.txt’ respectively inside the ‘%APPDATA% /Spider’ directory”
According to netskope, PowerShell launches the ransomware decryptor, dec.exe with ‘spider’ argument and enc.exe file with ‘spider ktn 100’ arguments. Spider ransomware decryptor monitors the system processes and prevents opening of windows utility tools like taskmgr, procexp, msconfig, regedit, cmd, outlook, winword, excel, and msaccess
Later, The payload enc.exe helps to encrypt the user’s files and adds the ‘.spider’ extension and also maintain the list of files in files.txt that has been encrypted by this Spider Ransomware.
Once it has successfully performed its operation, a warning message will be displayed that contains the complete information to the victims and so it contains an information about the decryption procedure.
Also, a Warning message contains an information about the decryption procedure for the victims.
Source : GBHackers