New ransomware scammers breed is coming to the scene

We recently were conducting some security consulting for some clients when we caught a new breed of ransomware scammers coming in the scene.
This breed is attacking mostly small to medium companies who are selling something.

After we made a few research into the Dark Web, we manage to come to the conclusion that this type of scam is growing bigger and bigger.
There are lots of forums who are speaking about this new way of “making money” among the “skiddies”.

So the attacking scenario they use is the following:

First the scammer need to get hands on any ransomware source code such as Hidden Tear and modify the output text with it’s email address, where lately, after the infection the victim will contact him.

Than a company that sale something must be contacted, telling them that he wants to buy a product that they are offering. To look genuine the fraudster is requesting also an invoice, justifying that it is needed for his bank to process the payment for the goods.

After he receives this invoice, a few days later, he contact the sales department person, sending an email telling that the payment is done and the confirmation of transfer is attached to that email.
Most of the emails we caught in our honeypots are using forged Microsoft Word documents, embedded with macro and the ransomware exe file or powershell.

The scammer is betting on the fact that most of the sales department employees has tons of un-backup data, most of this data are crucial since they are invoices, orders or payment confirmations. The second factor – the fraudster is sure – after the infection is done, the sales department employee will urgently contact him by email. The scammer will tell him: “Your boss will be mad that the company files are encrypted. Why to lose your job for X BTC”. At this moment the ball is on the fraudster yard and he has 80% to extort money from the employee.

We encourage all Microsoft Word users to disable the the automatic running of macros, apply updates as soon as they become available and don’t run any macro if they come from an unverified source.

If you are a victim of ransomware don’t think that if you pay, you will get your files.

Be safe, be smart.