Blank Slate campaign counts on curious humans to spread ransomware

board-2084769_960_720The “Blank Slate” campaign is using malicious spam (malspam) email to infect unsuspecting users with ransomware.

The operation derives its name from its attack emails’ lack of content. All they contain is an attached .zip file archive that the ransomware payload uses as a disguise. There is no message content, but curious individuals are still clicking and causing ransomware infections.

Blank Slate is known to drop one of several ransomware families onto a victim’s computer–and there are no available decryption keys for the vast majority of them. That’s why businesses and individuals should focus on the best ways to prevent a ransomware infection.

How Blank Slate works
A Blank Slate attack begins when a victim receives a malspam email that’s sent from a botnet of compromised machines located around the world. Each email uses a spoofed address that bears no relation to the botnet host. The attachments to these emails are not ordinary zip archives, however. Researchers with Palo Alto Networks’ Unit 42 team explain in a blog post:

“The malspam’s zip attachment is actually a double-zipped file, meaning it contains another zip archive which itself holds the malicious active content. We believe the attackers chose to use a double-zip tactic as a countermeasure against antispam/antimalware technologies. With an additional layer of user interaction, some intended victims may become frustrated or distracted, and this might lead to an increased failure/abandon rate. However, we believe the attackers decided this was less of a risk than detection by antispam/antimalware technologies.”

Unzipping the second archive reveals either a Microsoft Word document or a JavaScript file. When clicked on, the Microsoft Word document asks the recipient to enable macros. If the user complies, an embedded macro executes a malicious script created via Visual Basic for Applications (VBA), a programming language that’s built into Microsoft Office. When the JavaScript file is clicked on, it launches malicious JavaScript code within Windows Script Host, Microsoft technology that provides scripting services.

Unit 42 researchers have been tracking this campaign since January. In that span of time, they’ve identified more than 500 domains that act as download locations for the ransomware.

Blank Slate is currently known to primarily drop Cerber ransomware onto victims’ machines. Cerber has gone through several iterations since its discovery in early 2016. With this evolution has come several attack campaigns, including operations targeting businesses and Microsoft Office 365 users.

But Cerber isn’t the only ransomware distributed by Blank Slate. The malspam also pushes out Sage 2.0, ransomware that copies Cerber in some respects, and Locky ransomware, which gained notoriety in 2016 as one of the top three worst malware families.

How to protect your business
To avoid an infection, small and midsize businesses need to focus on ransomware prevention. For example, train employees to delete any email that comes with an attachment and no message content. Businesses should also train employees to avoid clicking on unexpected email attachments sent to them from random or unknown addresses. It’s also important to disable Microsoft Office macros by default on all machines.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

  • Facebook
  • Twitter
  • Google +
  • LinkedIN
  • Pinterest
Tagged in