Hackers Pose as British Postal Carrier to Deliver Prince Ransomware in Destructive Campaign
Summary:
A cybersecurity campaign targeting organizations in mid-September, in the U.K. and the U.S., employed Prince Ransomware, a freely available variant advertised on GitHub for educational purposes by developer “SecDbg”. The connection to Prince Ransomware was identified due to the observed sample downloading the same PNG from Imgur, and setting the PNG as the background, exactly as Prince Ransomware does in the configuration example on GitHub. This was a low-volume activity that impacted a small number of organizations. The attackers impersonated the British postal carrier Royal Mail, sending emails containing malicious attachments that led to the execution of the ransomware. The messages contained unique PDF attachments that impersonated Royal Mail in conjunction with the messages that led to a ZIP file download hosted in Dropbox. Another ZIP file then runs a JavaScript that executes the Prince Ransomware binary. Royal Mail is often impersonated by adversaries, therefore the company provides a list of common scams that abuse their brand. Unlike traditional ransomware attacks, this campaign aimed to be destructive, lacking decryption mechanisms and data exfiltration capabilities, focusing solely on data integrity. The attackers leveraged both malicious emails and public contact forms on target organizations' websites to gain access to victims' systems. Notably, the emails used Proton Mail addresses and displayed a false Windows update splash screen during the encryption process. Proofpoint is currently unable to attribute this activity to any known adversary due to the open-source nature of this GitHub-listed ransomware. The developer of Prince Ransomware has other unethical offerings. Information stealer malware called ThunderKitty is listed on GitHub and “SecDbg” advertises a customized “paid version”.
Security Officer Comments:
This campaign highlights the increasing sophistication of ransomware attacks, as attackers are leveraging publicly available tools and techniques to execute their malicious activities. The use of Prince ransomware, a freely available variant, underscores the growing accessibility of customizable tools to threat actors of varying skill levels. Furthermore, the attackers' reliance on public contact forms for social engineering demonstrates their adaptability and willingness to explore alternative attack vectors. Utilizing contact forms as one of their initial access vectors highlights that cybercriminals can perform successful phishing attempts without necessarily having to identify a potentially lucrative contact email. The lack of communication instructions and the absence of a link to determine which victims have paid for decryption proves that the adversary has no intention of decrypting the data held hostage. The destructive nature of this campaign, lacking decryption capabilities, suggests a potential shift in attacker motivations.
Suggested Corrections:
IOCs for this campaign are published here.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://therecord.media/hackers-pose-as-british-postal-carrier-prince-ransomware
https://www.proofpoint.com/us/blog/...l-lures-deliver-open-source-prince-ransomware
https://github.com/SecDbg/Prince-Ransomware
A cybersecurity campaign targeting organizations in mid-September, in the U.K. and the U.S., employed Prince Ransomware, a freely available variant advertised on GitHub for educational purposes by developer “SecDbg”. The connection to Prince Ransomware was identified due to the observed sample downloading the same PNG from Imgur, and setting the PNG as the background, exactly as Prince Ransomware does in the configuration example on GitHub. This was a low-volume activity that impacted a small number of organizations. The attackers impersonated the British postal carrier Royal Mail, sending emails containing malicious attachments that led to the execution of the ransomware. The messages contained unique PDF attachments that impersonated Royal Mail in conjunction with the messages that led to a ZIP file download hosted in Dropbox. Another ZIP file then runs a JavaScript that executes the Prince Ransomware binary. Royal Mail is often impersonated by adversaries, therefore the company provides a list of common scams that abuse their brand. Unlike traditional ransomware attacks, this campaign aimed to be destructive, lacking decryption mechanisms and data exfiltration capabilities, focusing solely on data integrity. The attackers leveraged both malicious emails and public contact forms on target organizations' websites to gain access to victims' systems. Notably, the emails used Proton Mail addresses and displayed a false Windows update splash screen during the encryption process. Proofpoint is currently unable to attribute this activity to any known adversary due to the open-source nature of this GitHub-listed ransomware. The developer of Prince Ransomware has other unethical offerings. Information stealer malware called ThunderKitty is listed on GitHub and “SecDbg” advertises a customized “paid version”.
Security Officer Comments:
This campaign highlights the increasing sophistication of ransomware attacks, as attackers are leveraging publicly available tools and techniques to execute their malicious activities. The use of Prince ransomware, a freely available variant, underscores the growing accessibility of customizable tools to threat actors of varying skill levels. Furthermore, the attackers' reliance on public contact forms for social engineering demonstrates their adaptability and willingness to explore alternative attack vectors. Utilizing contact forms as one of their initial access vectors highlights that cybercriminals can perform successful phishing attempts without necessarily having to identify a potentially lucrative contact email. The lack of communication instructions and the absence of a link to determine which victims have paid for decryption proves that the adversary has no intention of decrypting the data held hostage. The destructive nature of this campaign, lacking decryption capabilities, suggests a potential shift in attacker motivations.
Suggested Corrections:
IOCs for this campaign are published here.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Link(s):
https://therecord.media/hackers-pose-as-british-postal-carrier-prince-ransomware
https://www.proofpoint.com/us/blog/...l-lures-deliver-open-source-prince-ransomware
https://github.com/SecDbg/Prince-Ransomware