Ransomware found posing as supply lists in phishing emails

A strain of ransomware has been found to be infecting computers via seemingly harmless email links relating to supply lists. 

These supposed supply lists actually include MirCop ransomware, which has the ability to infect and encrypt the target system with disturbing Halloween-themed ransomware in under fifteen minutes. 

The phishing email sent to the recipient tries to give the impression it is a follow-up to a previous arrangement about an order. The email includes a link to a Google Drive URL, which automatically downloads an MHT file when clicked. 

Although this MHT file (webpage archive) may appear to be a supply list, its actual sole purpose is to download a RAR file that includes the ransomware. The contents of the RAR file will then automatically and independently unload itself onto the system, without giving the victim much time to react. 

The ransomware will then begin to take screenshots, lock files, run a program to find stored passwords in web browsers and change the home screen to the gruesome and shocking image shown above, which also includes the ransom note. 

The MirCop ransomware, also known as Crypt888 ransomware, will render the infected system almost useless – files are encrypted and only a few applications remain useable so that the victim can contact the threat actors and provide them with the ransom they are demanding. Only then, they say, will the system be unlocked and decrypted. 

Continuous development of ransomware 

News of this different strain of ransomware only continues the ongoing trend and rise in this cyberthreat. Over the past year, and past few months especially, ransomware has seen a noticeable rise in both frequency of attacks and number of different types of it.  

There has been the Lockbit ransomware in both August and September, HIVE ransomware, Black Matter ransomware and BlackByte ransomware, among many others. Only last week, Graff was hit by Conti ransomware, leaking the data of over 11,000 customers onto the dark web, including many high-profile names such as Donald Trump, Oprah Winfrey and Samuel L Jackson. 

What helped give this strain of MirCop ransomware a sense of believability in this case, was the use of Google Drive as the supposed location of the file. Google Drive is both considered a reliable platform and its use aligns with common business practices, which help to provide the phishing email with a sense of legitimacy. 

Users should be aware that threat actors will continually be developing ways to make their attacks appear more genuine, and they should remain on alert of cybercriminal’s attempts to take advantage of seemingly trustworthy digital practices. 

As part of the cybersecurity risk assessment provided by Securiwiser, email addresses can be checked for exposure, which may result in increased amounts of phishing attacks being experienced. You can sign up for a free trial now.