File Spider ransomware hitting Balkan nations
File Spider ransomware hitting Balkan nations

A malspam campaign targeting several Balkan countries is distributing a new ransomware called File Spider that threatens to delete a victim's files if the ransom is not paid within 96 hours.

The emails are currently aimed at people in Bosnia and Herzegovina, Serbia, and Croatia and like their cousins around the world use a social engineering scheme that has a financial angle, in this case debt collection, to entice people to open the messages and the malignant attachment, according to Bleeping Computer founder Lawrence Abrams.

“If a user clicks on the Enable Editing, followed by the Enable Content buttons, the embedded macro will download the ransomware executables from a remote site and execute them,” Abrams wrote.

Once the macros are enabled, two process start up called enc.exe and dec.exe. The first is the encryptor that runs through the local drives and encrypts specific files using AES-128 bit encryption. The latter function contains the decryptor and the user interface that will tell the victim they have been hit with ransomware, Abrams said.

The attackers have kindly included the ability to switch between several languages so the victim can understand the ransom demands, and they also display a TOR payment site along with a contact email address. The victim does have to act quickly, as the attackers state the files will be permanently deleted if they are not paid within 96 hours.

Abrams noted that due to the advanced level of encryption, it is not possible to use a free decryptor to save the data and that only implementing smart cyber-security hygiene can protect a system.