A low-volume, email-based Hakbit ransomware campaign that targets organizations in Austria, Switzerland, and Germany has been found by Proofpoint researchers. The attackers use malicious Microsoft Excel attachments delivered from a free email provider and the GuLoader dropper to spread the Hakbit ransomware. According to the Proofpoint’s report, the attachments contain false billing and tax repayment subjects to entice users to enable macros that execute GuLoader, which downloads the ransomware to encrypt files and lock the system.
Messages in German
Many messages arrived with subject lines such as “Fwd: Steuerrückzahlung” (Translated: Tax Repayment)” and “Ihre Rechnung (Translated: Your Bill)” in German. The message contains a Microsoft Excel attachment named 379710.xlsm which leverages malicious macros. Following the hacking message, attackers demand a payment of 250 Euros in bitcoin to unlock the encrypted files and provide instructions on how to pay the ransom. According to Proofpoint, as of June 16, 2020, there were no transactions showing payment of the ransom to the bitcoin wallet in the examples here.

Finally, Proofpoint researchers said that low-volume and often boutique ransomware campaigns have occurred since January 2020. Moreover, Proofpoint researchers recently identified a shift in the threat landscape with a large-scale Avaddon ransomware campaign consistent with recent open-source vendor reporting.