The ransomware marketplace is far from dissipating. New variants have already appeared in 2017 and researchers have detected that one new iteration, Sage, shares infrastructure with another already notorious malware, Locky, according to a PhishMe blog post.

In digging into samples of Sage, the PhishMe researchers found that while the coders behind the ransomware at first targeted victims using a sexually explicit subject line in their phishing attempts, they soon moved on to a more mainstream campaign attempting to persuade email recipients to click on a malicious .zip file attachment with business-related subject lines claiming a financial transaction was rejected.

In both campaigns, the email messages and the metadata used, as well as the payment gateway’s Tor site, was the same as that seen in earlier Locky campaigns. This is evidence, they said, that contrary to claims that Locky has disappeared from the threat landscape it is, in fact, still being used by some attackers – although it is employing different strategies.

“This overlapping infrastructure is a curious link between these two ransomware varieties and serves as a reminder of how malware support and distribution infrastructure is frequently reused,” the report stated.

read-entire-post  related-training

Leave your comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s