Hakbit ransomware campaign targeting specific European countries

Proofpoint researchers have published findings on a campaign involving the Hakbit ransomware. As their blog post states, the ransomware is being spread via spear-phishing emails targeted at individuals in “mid-level positions across the pharmaceutical, legal, financial, business service, retail, and healthcare sector.” The attacks, described as low-volume, are specifically targeting employees of organizations located in Austria, Switzerland, and Germany.

When Proofpoint analyzed the Hakbit ransomware-loaded emails, they found a specific pattern in how the messages were structured. Using language that would apply to the industry being targeted, the emails attempt to trick the target into downloaded an Excel macro entitled 379710.xlsm. The document in question, and the email’s instructions regarding it, is described as follows:

Because the macros and malware won’t work on a mobile device, the message instructs the recipient to use a computer to read the attachment. Once opened, the spreadsheet directs the recipient in German and English to enable macros... Once macros are enabled in the spreadsheet, it downloads and executes GuLoader... When GuLoader runs, it downloads and executes Hakbit, a ransomware that encrypts files using AES-256 encryption."

Once the system has been successfully infected by Hakbit, it shows a rather juvenile message stating, “YOU ARE HACKED” and gives a link to a .txt document. This document, written in German and English, is the ransom note. It demands roughly the equivalent of 250 euros in bitcoin and instructions on how to gain access to the machine again.

As of the writing of this article, Proofpoint researchers have not found evidence of anyone paying the ransom. This may very well change as ransomware attacks, especially those contained in spear-phishing campaigns, have proven to be effective.

It is worth noting that Proofpoint concludes their research post with the following observation:

Proofpoint researchers recently identified a shift in the threat landscape with a large-scale Avaddon ransomware campaign consistent with recent open source vendor reporting. Hakbit exemplifies a people-centric ransomware campaign tailored to a specific audience, role, organization, and in the user’s native language.

Whether or not this trend will stay is to be determined. It would be wise, however, for security professionals to take note of the shift and plan accordingly.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

The new brain drain: What if WFH tech employees don’t come back?

Offices are reopening, but after months of a work-from-home routine, many employees may not want…

9 hours ago

Amazon Fraud Detector generally available

Online payment frauds are a threat to any company doing business on the Web. Amazon…

12 hours ago

Identity and access management sector buzzes with new funding, partnerships, solutions

Because no organization wants to end up in the headlines for a data breach, there…

15 hours ago

Remove virtual machines and virtual hard disks completely with PowerShell

Deleting virtual machines is easy, but if you don’t also remove virtual hard disks, you…

1 day ago

Secure your WordPress website: Simple steps to stay safe

Many small businesses use WordPress to build their website. And while WordPress has many options…

2 days ago

Qumulo raises $125M for cloud data management across a hybrid setup

Qumulo is an up-and-coming data management solution focusing on managing files in a hybrid setup.…

4 days ago