Barracuda Advanced Technology Group monitoring aggressive ransomware threat

Print Friendly, PDF & Email

Barracuda customers are
fully protected from this attack.

Leave us a comment below
or ping us on Twitter @barracuda
if you have any questions.

This blog continues to be updated as more data becomes available.

Jump to section:

The Barracuda Advanced Technology Group is actively monitoring an aggressive ransomware threat that appears to come in the largest volume from Vietnam.  Other significant sources of this attack include India, Columbia, and Turkey and Greece.  Other countries appear to be distributing the same attack in very low volumes.  So far we have seen roughly 20 million of these attacks in the last 24 hours, and that number is growing rapidly.

These attacks are wrapped in either a ‘Herbalife' branded email or a generic email that impersonates a ‘copier' file delivery:

These attacks have been morphing throughout the day, but they all use fake source email addresses.  The earliest examples came from Vietnam and Greece.

A third variant has appeared in the last couple of hours, which uses the subject line “Emailing – <attachment name>.

All attachments in this attack are demonstrating ransomware specific behavior.  We are currently analyzing the sample to determine which variant is being used.  This blog will be updated when we have more information.


There have been approximately 6,000 fingerprints, which tells us that these attacks are being automatically generated using a template that randomizes parts of the files.  The names of payload files and the domains used for downloading secondary payloads have been changing in order to stay ahead anti-virus engines.

We will continue to monitor this threat and provide updates as they are available.

Barracuda email security customers and Advanced Threat Protection customers are protected from this attack.  All of the emails were blocked by Barracuda’s email filtering security appliances and SaaS products. We are able to monitor and analyze threat activity through our filters without being directly affected by attackers. None of Barracuda’s products were used as a weapon during this attack and the Barracuda network and Barracuda’s customers were not affected at any point.


Update  9/19/17 6:30pm PST:  

Barracuda researchers have confirmed that this attack is using a Locky variant with a single identifier.  The identifier allows the attacker to identify the victim so that when the victim pays the ransom, the attacker can send that victim the decryptor.  In this attack, all victims get the same identifier, which means that victims who pay the ransom will not get a decryptor because it will be impossible for the criminal to identify them.

This attack is also checking the victim computer language files, which may lead to an internationalized version of this attack in the future.

Barracuda systems have now blocked about 27 million of these emails, and the attack is continuing at the same pace as it has been throughout the campaign.

End of Update 1


Update 9/21/17 11:30am PST:  

Barracuda researchers are now observing two new wrappers in this attack.  The first impersonates a voicemail message, using the subject line “New voice message [phone number] in mailbox [phone number] from [“phone number”] [<alt phone number>].”   At this time the domain in the body of the email is not returning suspicious activity. The bulk of this attack originated in Serbia.

We are also seeing a wrapper that impersonates invoicing from Despite the spoofed domain, there's no increased targeting of UK domains.

We are still observing approximately 1 million of these attacks per hour, though we may see an uptick with the new wrappers.

We will continue to update this blog with new information as it becomes available.

End of Update 2


Update 9/22/2017 1:40pm PST:

There are new rotating wrappers for this attack, which are essentially an empty email with just a link. The subject line and the name of the attachment file vary for each of the variants. All three types (IMG, SCAN and JPEG) are seen with each example of the payload signature — that is the sending program is sending all 3 types of wrapper. This is the first time we've seen this. Previously, each example of the payload file had a unique wrapper template and subject line.




Our systems have now blocked approximately 70 million of these emails.

We will continue to update this post as more information becomes available.

End of Update 3


Indicators of Compromise:

6N01001755_1.7z (“Herbalife”)

  • MD5  —  1b38a94f7ea7ef17a88ace43bb1e8780
  • SHA1  —  213776b57d7c28e7152d8ce81298a6ff67cf9f10
  • SHA256  —  83a7891731aacbe25bb5f5e2ba0c8dabed379be8c6fbc25db78c0d771a20a432

10008009158.7z (“Emailing”)

  • MD5  —  8b9e81492275ba57a7283b4a48c61240
  • SHA1  —  167e625c11063c3fa5edb3d6755d79c7d9b88d69
  • SHA256  —  1b80b24b7195960a74cc10dbbc9685ae229443a80d11c7fe7a9c8fdd4e59840d

We will update this section as more data becomes available  

End of Indicators of Compromise


Eugene is the Lead Platform Architect working on deep-learning technology for Barracuda, and leader of the Barracuda Content Intelligence Team.  Connect with him on LinkedIn here

Scroll to top