As has been pointed out in numerous security research papers, ransomware is a lucrative cybercriminal tactic. Just in 2017 alone, malware has caused upwards of $5 billion in damages and that number is only expected to climb as long as ransomware proves effective. The unfortunate reality is that ransomware is still very much an effective form of attack due to the effective social engineering behind it and the gullibility of the victims. The malicious software has numerous styles and targets, and now reports show that yet another ransomware variant has added itself to the mix. In a report by Netskope’s Amit Malik, the security researcher detailed a nasty form of ransomware that is targeting users in the Balkan region. Given the name Spider ransomware by researchers, the malware is launched from fake Microsoft Office documents that are sent via email attachment with the Bosnian subject line “potrazivanje dugovanja,” which means “debt collection.” The malicious documents launch Spider’s payload, which is also written in Bosnian. It is obvious that the main targets are citizens of Bosnia and Herzegovina.
The payload itself is a macro code that is hidden and secretly launched/downloaded in PowerShell. See the code below:
Netskope analyzed the infection process even further, stating:
After downloading the payloads, the PowerShell script decodes the Base64 string and performs XOR operation with the key “AlberTI” to decode the final payloads, which is later saved into executable (.exe) files. The decoded payloads named “dec.exe” and “enc.exe” compiled in .NET are copied to the “%APPDATA% /Spider” directory.
Soon all of the files on the machine become encrypted and users are met with the message below:
Users, should they decide to pay the ransom, are then given a walkthrough of how to decrypt their files as seen below:
To lower the risk of the Spider ransomware infection, Netskope first recommends disabling macros by default and also exercising caution with any attachment (which is just common sense). Ultimately, the macro ransomware attack is a long-standing issue that has continued to surface because it is still enormously effective. The only way that ransomware like Spider will go away is to become educated on practicing a continuously defensive posture when using a computer.
Photo credit: Wikimedia
7 thoughts on “Spider ransomware: The new malware harassing the Balkans”
Bosnian, Croatian, and Serbian are mutually understood and for most intents and purposes can be thought of as dialects of the same language. Think of it like British English vs American English vs Canadian English vs Australian English. In fact, in Bosnia, depending on one’s ethnicity, the speaker make call it Croatian or Serbian or Bosnian. So, your article title is more correct: the emails are targeting users in the Balkans (who speak similar, mutually understood languages). I doubt it is just limited to Bosnia and Herzegovina (BiH), but targeted also to users in Croatia, Serbia, Montenegro, and perhaps even Macedonia and Slovenia (all countries of the former Yugoslavia). If it has only appeared at present in BiH, then that should be noted, but all users in the Balkans should be aware.
I suppose I wrote “Bosnian” because at the time the dialect of that particular form of the Serbo-Croatian language was found, and at the time of writing this, only BiH residents were being targeted. It wasn’t my intention to offend, I am aware of how volatile this topic can be as seen in the following comments. Thank you for a level-headed response, I should’ve put “Bosnian dialect” but just said “Bosnian.”
There is no “Bosnian” language it simply doesn’t exists and this entire story around this issue seems to be politically colored to promote the name of this stupidity so called Bosnian, let alone Herzegovinian language! Take that as like you live in Pennsylvania, US but there you don’t speak English but Pensylvanians language because authorities are promoting this type of stupidity. Or you live in Ontario, Canada and you speak Ontarian but not English. This all is endlessly ridiculous.
Long story short, on the territory of ex Yugoslavia there are Serbo-Croatian, Slovenian and Macedonian language as widely used and recognizable and all people can understand each other using standard Serbo-Croatian language.
I meant to add “dialect” after Bosnian but left it out, at the time of reporting this only residents of BiH were being targeted so I left out other Balkan cultures while discussing this particular malware. There is no political agenda here, calm the hell down mate.
Yes Derek, absolutely agree with you there is no political agenda here whatsoever and again this entire situation doesn’t have anything to do with some ransomware or Spider’s payload etc because as long as I see it here nobody is affected so far. In fact somebody here in country called “Absurdistan” (BiH) came onto idea to even misuse professional, social media to promote their stupidity called Bosnian language!
Long story short, no one here has been affected with this ransomware, this is all just pure fabrication and nothing else.
TTNT, with all due respect, what does this have to do with the article? Please keep your comments on topic, which is the issue of Spider Ransomware. I don’t believe this article is political and you shouldn’t see it as such or read between lines that are non-existent.
Tamar again and again, here in Sarajevo BiH ( shit whole called Absurdistan) nobody is affected with the Spider Ransomware, there is no such thing, it doesn’t exists! I simply don’t know who came onto idea to spread such misleading information?
Again, this entire story doesn’t make any sense because there is no “Spider Ransomware” here in BiH.However only confusion that requires clarification is, who actually created entire story? My answer is: those idiots who are trying to promote stupidity called bosnian (non existing )language and I hope this explanation helps you to understand why I replied to this tread.
Best regards to you my dear.