The latest (likely very successful) ransomware delivery campaign takes the form of spear-phishing emails targeting specific individuals and, for added credibility, includes their real-world home addresses and names.
It’s such a brilliant idea, that I wonder how cyber crooks haven’t thought of it earlier. But maybe they were only waiting for the right malware to deliver – in this case, the Maktub Locker.
Maktub Locker is a type of ransomware that encrypts (and compresses) files fast and does not need to download an encryption key from the CnC server (meaning: the data can be encrypted offline).
Other than that, there is nothing highly remarkable about it, except perhaps for the unexpectedly well-designed website to which the victims are redirected in order to discover how they can pay the ransom – and how the ransom amount rises every three days they fail to make the payment.
“Members of the BBC Radio 4’s You and Yours team were among those who received the scam emails, claiming they owed hundreds of pounds to UK firms,” the BBC reported on Wednesday.
ZDNet’s Zack Whittaker has also received one, containing an address at which he lived eight years ago.
“The well-worded email appears to come from a legitimate email address and domain name, and raises very few irregularities. The email comes with an demand for money for an arbitrary service, along with a link that purports to be an ‘overdue invoice,'” he pointed out.
The link points to a file that looks like a Word document, but it’s actually a variant of the Maktub Locker.
In his case, the email was apparently coming from a UK-based company that, when contacted, said that they have received over 150 calls from people complaining about the email, saying that they don’t own the company any money. But other companies and even charities have also been impersonated in this campaign as well.
It is still unclear how the scammers got ahold of the addresses. It seems likely that they have managed to get their hands on a database.
Judging by Whittaker’s experience, the information in the database is quite old, but there are surely many individuals in it that haven’t changed their home addresses since then.
More than likely, the information was pilfered from some website ages ago, and has been sold and resold on underground cybercrime forums for a while.
The spear-phishing campaign is quite widespread, and seems to target mostly UK residents (or those who at that time were).
Dr Steven Murdoch, principal research fellow at the department of computer science at University College London, told the BBC that the campaign bore the hallmark of previous phishing attempts from gangs in Eastern Europe and Russia.
Maktub checks whether the targeted system is used by a Russian user by fetching the keyboard locale list, and if it is, it will exit without infecting any files.
The success of this campaign could be considerable. Not only does the email address the recipient by name, and include his or her home address, but is also written in good English. Finally, it attempts to create a sense of urgency, and that will make many recipients forget they are not supposed to follow a link offered in an unsolicited email.
According to the news outlet, the UK’s national fraud and cybercrime reporting centre has been flooded with queries and complaints from people targeted by the scammers.