A recent blog by security researchers from ESET details a growing spam campaign which has emerged in recent months. This campaign distributes spam emails written in Russian and it delivers the Shade ransomware, also known as Troldesh.
Now, the Shade ransomware creates ransom notes in .txt files and is dropped to every folder and drive in the infected computer.
“These malicious emails pose as order updates, seemingly coming from legitimate Russian organizations. The emails we have seen impersonate the Russian bank B&N Bank (note: recently merged with Otkritie Bank), and the retail chain Magnit,” the researchers explain.
The malicious loader concealed as an image file is downloaded from URLs of compromised WordPress sites. To acheive this, attackers use brute force attacks through automated bots to compromise legitimate Wordpress sites in order to use them as launchpads for malware distribution.
In addition to that, the loader uses a fake and invalid digital signature for every sample detected by antivirus programs. Once downloaded, the loader disguises as a system process in the affected system. The ransomware then begins its encryption process and generates ransom notes in the end.