The ransomware marketplace is far from dissipating. New variants have already appeared in 2017 and researchers have detected that one new iteration, Sage, shares infrastructure with another already notorious malware, Locky, according to a PhishMe blog post.
In digging into samples of Sage, the PhishMe researchers found that while the coders behind the ransomware at first targeted victims using a sexually explicit subject line in their phishing attempts, they soon moved on to a more mainstream campaign attempting to persuade email recipients to click on a malicious .zip file attachment with business-related subject lines claiming a financial transaction was rejected.
In both campaigns, the email messages and the metadata used, as well as the payment gateway’s Tor site, was the same as that seen in earlier Locky campaigns. This is evidence, they said, that contrary to claims that Locky has disappeared from the threat landscape it is, in fact, still being used by some attackers – although it is employing different strategies.
“This overlapping infrastructure is a curious link between these two ransomware varieties and serves as a reminder of how malware support and distribution infrastructure is frequently reused,” the report stated.