Prince Ransomware Hits UK and US via Royal Mail Phishing Scam
Cybersecurity researchers at Proofpoint have uncovered a new phishing campaign that impersonates the British postal service, Royal Mail, to distribute the open-source Prince ransomware. The campaign, observed in mid-September, targets individuals and organizations in the United Kingdom and the United States. By leveraging publicly available malware from GitHub and utilizing contact forms on websites, the attackers aim to deliver destructive ransomware under the guise of legitimate communication.
The attackers initiate the campaign by sending emails that appear to come from Royal Mail, a brand commonly exploited in phishing scams. These emails often use sender or reply-to addresses from Proton Mail, a secure email service, adding a layer of anonymity. Each message contains a unique PDF attachment that mimics official Royal Mail correspondence.
Email lure impersonating Royal Mail | Image: Proofpoint
Notably, the threat actors are submitting their malicious messages via contact forms on target organizations’ websites. This method allows them to bypass some email security measures and reach recipients who might not typically expect phishing attempts through this channel. The use of contact forms also means the emails could be received by multiple people within an organization, increasing the likelihood of successful infection.
The PDF attachment in the email contains a link to a Dropbox-hosted ZIP file (e.g., PACKAGE-0074752.zip). This ZIP file includes another password-protected ZIP file (invoice.zip) and a text file (privacy notice.txt) containing the password required to extract the contents.
Upon extraction, the second ZIP file reveals a shortcut (.LNK) file. Executing this file triggers a series of actions:
- JavaScript Execution: The shortcut file extracts and runs embedded JavaScript code by locating itself in the
%temp%directory or the current directory. - Obfuscated Scripts: The JavaScript writes several heavily obfuscated files to the
%temp%directory, including PowerShell scripts (PS1.ps1,PS2.ps1,PS3.ps1) and another JavaScript file (JS2.js). - AMSI and UAC Bypasses: The scripts employ well-known techniques to bypass the Antimalware Scan Interface (AMSI) and User Account Control (UAC), allowing the malicious code to run without raising alerts.
- Scheduled Task Creation: The malware sets up a scheduled task that executes every 20 minutes but only after the computer has been idle for at least 15 minutes and is connected to power. This delayed execution helps evade immediate detection.
The final payload is a .NET assembly loaded into memory, which is an obfuscated version of the Prince ransomware available on GitHub. The ransomware performs the following actions:
- File Encryption: Encrypts files on the system, appending the
.wompextension to affected files. - Ransom Note Deployment: Places a ransom note titled
Decryption Instructions.txton the desktop. - Deceptive Messaging: Displays a Windows Update splash screen to distract the user during encryption.
- Background Change: Downloads and sets a new desktop background image from Imgur, similar to the example provided in the Prince ransomware GitHub repository.
Despite claiming that files have been exfiltrated and offering decryption upon payment of 0.007 Bitcoin (approximately $400), the ransomware lacks mechanisms for data exfiltration or decryption:
- No Data Exfiltration: Analysis revealed no code responsible for sending data back to the attackers.
- Lack of Decryption Capability: The ransomware does not generate unique identifiers or provide contact information, making it impossible for the attackers to know who paid the ransom.
- Destructive Intent: The absence of a decryption method suggests that the attack is intended to be purely destructive, causing irreversible damage to victims’ files.
While Proofpoint has not attributed this campaign to a specific threat actor, the use of openly available malware from GitHub indicates that various malicious actors could replicate this attack. The Prince ransomware is developed by a GitHub user named SecDbg, who describes the code as being for educational purposes only. However, the developer also mentions on GitHub:
“If, for whatever reason, bypassing Windows Defender is a priority for you, contact me on Telegram and I will accept payment for any changes you may require.”
This statement suggests that the developer may offer customized versions of the ransomware that can evade security measures, potentially including a builder service that automates the creation of the malware payload.
