Proofpoint researchers have published findings on a campaign involving the Hakbit ransomware. As their blog post states, the ransomware is being spread via spear-phishing emails targeted at individuals in “mid-level positions across the pharmaceutical, legal, financial, business service, retail, and healthcare sector.” The attacks, described as low-volume, are specifically targeting employees of organizations located in Austria, Switzerland, and Germany.
When Proofpoint analyzed the Hakbit ransomware-loaded emails, they found a specific pattern in how the messages were structured. Using language that would apply to the industry being targeted, the emails attempt to trick the target into downloaded an Excel macro entitled 379710.xlsm. The document in question, and the email’s instructions regarding it, is described as follows:
Because the macros and malware won’t work on a mobile device, the message instructs the recipient to use a computer to read the attachment. Once opened, the spreadsheet directs the recipient in German and English to enable macros... Once macros are enabled in the spreadsheet, it downloads and executes GuLoader... When GuLoader runs, it downloads and executes Hakbit, a ransomware that encrypts files using AES-256 encryption."
Once the system has been successfully infected by Hakbit, it shows a rather juvenile message stating, “YOU ARE HACKED” and gives a link to a .txt document. This document, written in German and English, is the ransom note. It demands roughly the equivalent of 250 euros in bitcoin and instructions on how to gain access to the machine again.
As of the writing of this article, Proofpoint researchers have not found evidence of anyone paying the ransom. This may very well change as ransomware attacks, especially those contained in spear-phishing campaigns, have proven to be effective.
It is worth noting that Proofpoint concludes their research post with the following observation:
Proofpoint researchers recently identified a shift in the threat landscape with a large-scale Avaddon ransomware campaign consistent with recent open source vendor reporting. Hakbit exemplifies a people-centric ransomware campaign tailored to a specific audience, role, organization, and in the user’s native language.
Whether or not this trend will stay is to be determined. It would be wise, however, for security professionals to take note of the shift and plan accordingly.
Featured image: Pixabay