- A Poland CERT researcher believes the ransomware is spreading via a spam campaign.
- The Nozelesn ransomware campaign began on July 1.
A new ransomware variant dubbed Nozelesn has been detected by security researchers. The ransomware operators have reportedly launched a spam campaign on July 1 targeting victims in Poland.
A security researcher at the Computer Emergency Response Team (CERT) Poland believes the ransomware campaign is being distributed via a spam campaign, which has been designed to pose as a DHL invoice, Bleeping Computer reported.
Nozelesn ransomware infection chain
The ransomware encrypts victims’ files and displays a ransom note, which contains details on how to go about logging on to a TOR-based payment server to receive further instructions. The ransom note also contains a unique personal code that the victim will require to login to the TOR payment server.
Once the victim arrives at the TOR payment server, which is reportedly called the “Nozelesn decryption cabinet”, the victim will be prompted to once again enter the personal code from the ransom note and enter a captcha response into the login screen. Once the victim has successfully logged in, he/she will be able to view the payment instructions. Bleeping Computer reports that the ransom amount is currently set for .10 bitcoins - around $660.
Ransom payment doesn’t guarantee decryption
It still remains unclear as to how many victims have been infected by the Nozelesn ransomware.
According to a tweet posted by the MalwareHunterTeam, the ransomware has already infected dozens of victims, including companies.
It is also unclear whether paying the ransom amount has resulted in victims being provided with a functional decryption key.
In such cases, security researchers generally recommend that victims refrain from paying the ransom, as there are no guarantees that paying the ransom will result in the victims obtaining their data back from the cybercriminals.