Description
A campaign impersonating Royal Mail was identified delivering Prince ransomware, an open-source variant available on GitHub. The low-volume attack targeted UK and US organizations in mid-September, often originating from contact forms on target websites. The ransomware lacks decryption mechanisms and data exfiltration capabilities, making it purely destructive. The attack chain involves multiple stages, including PDF lures, ZIP files, shortcuts, and obfuscated scripts, ultimately leading to the execution of the Prince ransomware. The campaign's attribution remains unclear, but the ransomware's creator offers customization services. This activity highlights the ongoing threat of freely available malware and the importance of user awareness in identifying suspicious emails and attachments.
Date
| Published | Created | Modified |
|---|---|---|
| Oct. 2, 2024, 4:09 p.m. | Oct. 2, 2024, 4:09 p.m. | Oct. 2, 2024, 4:21 p.m. |
Indicators
e2a187babf980f024b94fa2cb4a93948d70c1e15bed1eccf975ab6c562754149
ad1983a13a06919c9b8da04727ea3c210e9d19e0598c0811e4b8355b5a98589e
226b653e57484de58148b455b714dcb551a52eda5a3a6d8210095aab96d782df
Attack Patterns
Brave Prince - S0252
T1059.003
T1059.001
T1547.001
T1059.007
T1486
T1204
T1140
T1027
T1112
T1566
Additional Informations
United Kingdom of Great Britain and Northern Ireland
United States of America