Impersonation is a tactic used by many cybercriminals to make their digital shenanigans successful. The social engineering exploits they use are mostly comprised of impersonating activities. Recently, a cyber defense company has detected that Shade ransomware operators are impersonating a Russian Oil and Gas Company NGK Slavneft to distribute the cryptovirological payload.
They have devised an email with the subject ‘Slavneft Order’ that contains a zip file attachment named ‘Slavneft Order Details’. This file is actually a JavaScript downloader that unzips the malicious code of Shade ransomware on the device, which starts uninterruptable encryption of every stored file through AES encrypting module.
The Ransom Note Directs Victim to Dark Web
Shade ransomware was primarily designed to target Russian users. This is the reason why its operators have finished the ransom note in Russian instead of English. As per the translation of the note, the attackers give users a Dark Web link to follow in order to make further correspondence. No extortion amount is mentioned in the note that shade operators are asking to provide a solution for ransomware removal.
By impersonating a well-known oil and gas company, Shade operators have expanded the scope of their activity. They can now target a long list of organizations that could have any working relationship with an oil and gas entity. They also play well at the psychological front. A lot of curious users will click to download the file named ‘Order Detail’ without giving it a second thought.
Right now, there are no details available on the number of victims affected by this latest impersonation of Shade operators.
Shade Operators Has Started the Year with a Bang
As the year began, Shade operators started their mass payload distribution activities. So, it seems like Shade operators are not aware of the forecast that this year will see lesser ransomware attacks. In January, ESET, another IT security company, picked up a similar phishing activity under different name delivering the Shade payload through a similar JavaScript downloader.
This month, Shade operators are targeting Russian speaking users through similar email attachments besides this impersonating campaign, as reported by Carbon Black. Their growing activity suggests that Shade operators are able to make good money in the name of ransomware removal.
Protection Against Shade Ransomware
It has been established that Shade operators are primarily focusing on commercial entities for better ransomware removal extortion prospects. In order to protect their digital infrastructure from Shade or any other ransomware strain, organizations must regularly update their endpoint software applications which can prevent the infiltration of any malicious file in the first place. Backing up critical data can also mitigate the effects of any ransomware attack.
