A new ransomware called File Spider is being distributed through spam. These spams contain malicious Word documents that download and install the File Spider ransomware onto a victim’s computer.
The File Spider Ransomware, an original file encoder Trojan, is connected to the spiderwjzbmsmu7y[.]onion domain on the Tor Network. This is a generic crypto-threat equipped with custom AES and RSA ciphers. The threat targets the data generated by photos, videos, music, personal documents or eBook collections. Cybersecurity experts warn that File Spider Ransomware is spread through a PowerShell script found in spams in disguise of fake purchase notifications. This intrusive program also drops a rescue note with the names of folders along with hostage data. It is named as HOW TO DECRYPT FILES.html.
File Spider Ransomware is being actively detected by eScan.
IOC
File Name: enc.exe
Hash: 6500a1baa13e0698e3ed41b4465e5824e9a316b22209223754f0ab04a6e1b853
Detection: Trojan.GenericKD.12668779
File Name: dec.exe
Hash: 74e5096f09a031800216640a8455bc487e9a32b2e56fbad9d083c3810ed5488e
Detection: Trojan.GenericKD.6290916
Filenames associated
%UserProfile%\AppData\Roaming\Spider\
%UserProfile%\AppData\Roaming\Spider\5p1d3r
%UserProfile%\AppData\Roaming\Spider\dec.exe
%UserProfile%\AppData\Roaming\Spider\enc.exe
%UserProfile%\AppData\Roaming\Spider\files.txt
%UserProfile%\AppData\Roaming\Spider\id.txt
%UserProfile%\AppData\Roaming\Spider\run.bat
%UserProfile%\Desktop\DECRYPTER.url
Network connections
https://spiderwjzbmsmu7y.onion
https://vid.me/embedded/CGyDc?autoplay=1&stats=1
https://yourjavascript.com/5118631477/javascript-dec-2-25-2.js
https://yourjavascript.com/53103201277/javascript-enc-1-0-9.js