Welcome to our

Cyber Security News Aggregator

.

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

Ransomware files discovered in fake TripAdvisor emails

published on 2023-09-04 11:58:44 UTC by philviles
Content:

Researchers have discovered suspicious complaint emails purporting to be from TripAdvsor containing malicious excel files designed to steal and encrypt users’ data.

Cyclops ransomware gang designed a Go-based information stealer to capture sensitive information from victims, including files with .JPG, .JPEG, .PDF, .TXT and .DOC extensions. The ransomware is also capable of disabling any processes which may interfere with its encryption activities.

In July, Cyclops rebranded as Knight, and improved its “lite encryptor” service. They also launched a new data leak site, though there are no victims or stolen files listed on there yet.

In an interesting move, a Sophos researcher has noticed that emails appearing to be TripAdvisor complaints contain the Knight ransomware inside downloadable files. The emails contain a .ZIP file attachment including a virus-laden html attachment.

The html file uses a Browser-in-the Middle phishing technique to open what appears to be a legitimate TripAdvisor browser window containing the complaint. The window requires the user to click on a button labelled “Read Complaint”. However, instead of taking the user to the complaint, the button downloads an Excel XLL file containing the malware which executes on the device once opened.

Microsoft Excel can detect Mark-of-the-Web (MotW) flags within excel files (a layer of protection of files confirming they originate where they claim to be from) and block them from automatically opening.

However, if the MotW cannot be detected, Excel prompts the user to either enable the add-ins or keep them disabled.

If the user chooses to enable the add-ins, the malicious file will execute and begin encrypting files on the device. Once encrypted, the files are given the extension .knight_l.

Additionally of interest in the tactics employed in this campaign is the ransom request. Among the encrypted files is a .txt file explaining how victims can restore their files by sending £5,000 to a bitcoin address.

However, all the examples of the ransom notes contain the same bitcoin address making it impossible for the threat actor to know who has paid the ransom.

This strengthens the advice from cyber security professionals and the police to not pay a ransom in return for decryption, as it is unlikely they have any intentions of releasing the encrypted files.

Also, with no proof of payment, others can claim your payment as theirs, again suggesting there will be no decryption for your files

To learn more about malicious emails and texts, and to get your staff up-to-speed with the latest threats to your business, talk to us about Security Awareness Training. Your staff can be the first barriers against a cyber attack.


Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


Article: Ransomware files discovered in fake TripAdvisor emails - published about 1 year ago.

https://www.emcrc.co.uk/post/ransomware-files-discovered-in-fake-tripadvisor-emails   
Published: 2023 09 04 11:58:44
Received: 2023 09 04 12:06:45
Feed: The Cyber Resilience Centre for the East Midlands
Source: National Cyber Resilience Centre Group
Category: News
Topic: Cyber Security
Views: 1

Custom HTML Block

Click to Open Code Editor