This blog continues to be updated as more data becomes available.
Jump to section:
The Barracuda Advanced Technology Group is actively monitoring an aggressive ransomware threat that appears to come in the largest volume from Vietnam. Other significant sources of this attack include India, Columbia, and Turkey and Greece. Other countries appear to be distributing the same attack in very low volumes. So far we have seen roughly 20 million of these attacks in the last 24 hours, and that number is growing rapidly.
These attacks are wrapped in either a ‘Herbalife’ branded email or a generic email that impersonates a ‘copier’ file delivery:
A third variant has appeared in the last couple of hours, which uses the subject line “Emailing – <attachment name>.
We will continue to monitor this threat and provide updates as they are available.
Barracuda email security customers and Advanced Threat Protection customers are protected from this attack. All of the emails were blocked by Barracuda’s email filtering security appliances and SaaS products. We are able to monitor and analyze threat activity through our filters without being directly affected by attackers. None of Barracuda’s products were used as a weapon during this attack and the Barracuda network and Barracuda’s customers were not affected at any point.
Update 9/19/17 6:30pm PST:
Barracuda researchers have confirmed that this attack is using a Locky variant with a single identifier. The identifier allows the attacker to identify the victim so that when the victim pays the ransom, the attacker can send that victim the decryptor. In this attack, all victims get the same identifier, which means that victims who pay the ransom will not get a decryptor because it will be impossible for the criminal to identify them.
This attack is also checking the victim computer language files, which may lead to an internationalized version of this attack in the future.
Barracuda systems have now blocked about 27 million of these emails, and the attack is continuing at the same pace as it has been throughout the campaign.
End of Update 1
Update 9/21/17 11:30am PST:
Barracuda researchers are now observing two new wrappers in this attack. The first impersonates a voicemail message, using the subject line “New voice message [phone number] in mailbox [phone number] from [“phone number”] [<alt phone number>].” At this time the domain in the body of the email is not returning suspicious activity. The bulk of this attack originated in Serbia.
We will continue to update this blog with new information as it becomes available.
End of Update 2
Update 9/22/2017 1:40pm PST:
There are new rotating wrappers for this attack, which are essentially an empty email with just a link. The subject line and the name of the attachment file vary for each of the variants. All three types (IMG, SCAN and JPEG) are seen with each example of the payload signature — that is the sending program is sending all 3 types of wrapper. This is the first time we’ve seen this. Previously, each example of the payload file had a unique wrapper template and subject line.
Our systems have now blocked approximately 70 million of these emails.
We will continue to update this post as more information becomes available.
End of Update 3
Indicators of Compromise:
- MD5 — 1b38a94f7ea7ef17a88ace43bb1e8780
- SHA1 — 213776b57d7c28e7152d8ce81298a6ff67cf9f10
- SHA256 — 83a7891731aacbe25bb5f5e2ba0c8dabed379be8c6fbc25db78c0d771a20a432
- MD5 — 8b9e81492275ba57a7283b4a48c61240
- SHA1 — 167e625c11063c3fa5edb3d6755d79c7d9b88d69
- SHA256 — 1b80b24b7195960a74cc10dbbc9685ae229443a80d11c7fe7a9c8fdd4e59840d
We will update this section as more data becomes available
End of Indicators of Compromise
Eugene is the Lead Platform Architect working on deep-learning technology for Barracuda, and leader of the Barracuda Content Intelligence Team. Connect with him on LinkedIn here.