Security Brief: Royal Mail Lures Deliver Open Source Prince Ransomware

Oct. 2, 2024, 4:21 p.m.

Description

A campaign impersonating Royal Mail was identified delivering Prince ransomware, an open-source variant available on GitHub. The low-volume attack targeted UK and US organizations in mid-September, often originating from contact forms on target websites. The ransomware lacks decryption mechanisms and data exfiltration capabilities, making it purely destructive. The attack chain involves multiple stages, including PDF lures, ZIP files, shortcuts, and obfuscated scripts, ultimately leading to the execution of the Prince ransomware. The campaign's attribution remains unclear, but the ransomware's creator offers customization services. This activity highlights the ongoing threat of freely available malware and the importance of user awareness in identifying suspicious emails and attachments.

External References

https://www.proofpoint.com/us/blog/threat-insight/security-brief-royal-mail-lures-deliver-open-source-prince-ransomware
https://otx.alienvault.com/pulse/66fd7040c300a679eaf9f896
Tags
obfuscation
phishing
github
2024-10-02
prince ransomware
destructive attack
royal mail
open-source malware
prince
contact forms

Date

  • Created: Oct. 2, 2024, 4:09 p.m.
  • Published: Oct. 2, 2024, 4:09 p.m.
  • Modified: Oct. 2, 2024, 4:21 p.m.

Indicators

  • e2a187babf980f024b94fa2cb4a93948d70c1e15bed1eccf975ab6c562754149
  • ad1983a13a06919c9b8da04727ea3c210e9d19e0598c0811e4b8355b5a98589e
  • 226b653e57484de58148b455b714dcb551a52eda5a3a6d8210095aab96d782df
Download all indicators here!

Attack Patterns

  • Brave Prince - S0252

Additional Informations

  • United Kingdom of Great Britain and Northern Ireland
  • United States of America