Messages came through in smaller numbers for healthcare, telecommunications, insurance, and several other verticals.įigure 2: Vertical targeting by indexed message volume This campaign is primarily aimed at state and local government agencies, followed by K-12 educational institutions. Subjects included:įigure 1: Email using a convincing lure and fraudulent branding to deliver the malicious ransomware URLs The messages in this campaign used a convincing email body and had a variety of Subject lines referencing a major national air carrier, adding an air of legitimacy to the lures with stolen branding. This is a departure from the much more frequent attached document campaigns we have observed recently with a range of malware, including the widely distributed Locky ransomware. Emails contained URLs linking to an executable file named "file_6.exe" hosted on various sites with recently registered domains, apparently for the purpose of supporting this campaign. On September 22, Proofpoint detected a large MarsJoke ransomware email campaign. Gary Warners’s blog also reported on this and similar campaigns, indicating that a well-known botnet, Kelihos, is responsible for distributing this spam. The targeting of state and local government agencies as well as the distribution methods are very similar to a CryptFile2 campaign we described in August. This ongoing campaign appears to target primarily state and local government agencies and educational institutions in the United States. However, beginning on September 22, 2016, we detected the first large-scale email campaign distributing MarsJoke.
Proofpoint researchers originally spotted the MarsJoke ransomware in late August by trawling through our repository of unknown malware.
We recently noted the non-linear growth of ransomware variants and now a new type has emerged, dubbed MarsJoke. Ransomware in its various forms continues to make headlines as much for high-profile network disruptions as for the ubiquity of attacks among consumers.
0 kommentar(er)
