Recently, Researchers at PhishMe made public some evidences against new Sage ransomware. According to them, Sage Ransomware is being distributed by the same distribution infrastructure as Locky ransomware family. It indicates that cyber punks are leveraging new cryptomalware variants, while continuing to utilize the reliable standby kits such as infamous Locky. For equal effectiveness and minimizing the cost, cyberpunks share delivery infrastructure.
Cyber crooks behind the Locky Variants are working on securing new distribution channels after the Sage ransomware made notable appearance early days of 2017. First sage delivery emails use a sexually explicit email to target potential victims into double clicking an attachment dubbed “sindy_hot_2016_sex_party_in_the_club.zip”. This attachment led to malware infection from containing EXE of the same name continuing from 2016.
Sage Ransomware used TOR address – 7gie6ffnkrjykggd[.[onion. Two Tor2Web proxy hosts, er29sl[.]com and rzunt3u2[.]com in this campaign for collecting ransom payments by redirecting to payment sites. The C&C server specifically for this campaign of Sage Ransomware was on the TOR address -mbfce24rgn65bx3g[.]onion and also resoluted using rzunt3u2[.]com and er29sl[.]com as gateways.
Following the early delivery, cyberpunks planned to move toward the mainstream apparently. They started sending phishing emails with random numbers as subject line and business related theme in the text body rather than including explicit or racy narratives. The text body of the email explained a financial transaction had been rejected and claimed that specific information about the failure could be found in the attached document. Actually, this document is micro-enabled file, when a user open it, a script gets activated and connects computer to a remote server immediately. For instance, screenshot of phishing email is given below.