FANDOM


File Spider is a ransomware  that targets victims in Bosnia and Herzegovina, Serbia, and Croatia.

Payload

Transmission

File Spider is distributed through spam. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer. The spam start with subjects like "Potrazivanje dugovanja", which translates to "Debt Collection" and whose message, according to Google Translate, appear to be in Serbian. 

These emails will have an attached word document with malicious macros that pretends to be a debt collection notice, which according to Google Translate is written in Croatian.

If a user clicks on the Enable Editing, followed by the Enable Content buttons, the embedded macro will download the ransomware executables from a remote site and execute them.

The macro contains a Base64 encoded PowerShell script that when executed will download XOR encrypted files called enc.exe and dec.exe from a remote site. The URLs that are used to download the files are currently:

http://yourjavascript.com/5118631477/javascript-dec-2-25-2.js
http://yourjavascript.com/53103201277/javascript-enc-1-0-9.js

When downloading the files, they will be decrypted and saved to the %AppData% \Spider folder.

The PowerShell script will then execute both enc.exe, which is the encrypter, and dec.exe, which is the decrypter and gui, with the following commands:

"%AppData%\Roaming\Spider\enc.exe" spider ktn 100 
"%AppData%\Roaming\Spider\dec.exe" spider

File Spider will now begin to encrypt the victim's computer.

Infection

Once the macros in the malicious document execute, the ransomware will be downloaded and executed on the computer. This will cause two processes to be executed called enc.exe and dec.exe. Dec.exe is the decryptor and GUI for the ransomware and will quietly run in the background until enc.exe, which is the encryptor, is finished encrypting the computer.

While enc.exe is running, it will scan the local drivers of the computer and encrypt any files that match targeted extension with AES-128 bit encryption. The file extensions that are targeted by File Spider are listed at the end of this article. This AES key is then encrypted using a bundled RSA key and saved 

When encrypting, it will skip files located in the following folders:

tmp
Videos
winnt
Application Data
Spider
PrefLogs
Program Files (x86)
Program Files
ProgramData
Temp
Recycle
System Volume Information
Boot
Windows

When a file is encrypted, it will log the original file name to %UserProfile%\AppData\Roaming\Spider\files.txt and append the .spider extension to the encrypted file's name. For example, a file called test.jpg would be encrypted and then renamed to test.jpg.spider.

It encrypts the following file extensions:

.lnk, .url, .contact, .1cd, .dbf, .dt, .cf, .cfu, .mxl, .epf, .kdbx, .erf, .vrp, .grs, .geo, .st, .conf, .pff, 
.mft, .efd, .3dm, .3ds, .rib, .ma, .sldasm, .sldprt, .max, .blend, .lwo, .lws, .m3d, .mb, .obj, .x, .x3d, 
.movie, .byu, .c4d, .fbx, .dgn, .dwg, .4db, .4dl, .4mp, .abs, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, 
.accft, .adn, .a3d, .adp, .aft, .ahd, .alf, .ask, .awdb, .azz, .bdb, .bib, .bnd, .bok, .btr, .bak, .backup, 
.cdb, .ckp, .clkw, .cma, .crd, .daconnections, .dacpac, .dad, .dadiagrams, .daf, .daschema, .db, .db-shm, 
.db-wal, .db2, .db3, .dbc, .dbk, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .df1, .dmo, .dnc, .dp1, .dqy, 
.dsk, .dsn, .dta, .dtsx, .dxl, .eco, .ecx, .edb, .emd, .eql, .fcd, .fdb, .fic, .fid, .fil, .fm5, .fmp, .fmp12, 
.fmpsl, .fol, .fp3, .fp4, .fp5, .fp7, .fpt, .fzb, .fzv, .gdb, .gwi, .hdb, .his, .ib, .idc, .ihx, .itdb, .itw, 
.jtx, .kdb, .lgc, .maq, .mdb, .mdbhtml, .mdf, .mdn, .mdt, .mrg, .mud, .mwb, .s3m, .myd, .ndf, .ns2, .ns3, .ns4, 
.nsf, .nv2, .nyf, .oce, .odb, .oqy, .ora, .orx, .owc, .owg, .oyx, .p96, .p97, .pan, .pdb, .pdm, .phm, .pnz, 
.pth, .pwa, .qpx, .qry, .qvd, .rctd, .rdb, .rpd, .rsd, .sbf, .sdb, .sdf, .spq, .sqb, .stp, .sql, .sqlite, 
.sqlite3, .sqlitedb, .str, .tcx, .tdt, .te, .teacher, .tmd, .trm, .udb, .usr, .v12, .vdb, .vpd, .wdb, .wmdb, 
.xdb, .xld, .xlgc, .zdb, .zdc, .cdr, .cdr3, .ppt, .pptx, .1st, .abw, .act, .aim, .ans, .apt, .asc, .ascii, .ase, 
.aty, .awp, .awt, .aww, .bad, .bbs, .bdp, .bdr, .bean, .bna, .boc, .btd, .bzabw, .chart, .chord, .cnm, .crwl, 
.cyi, .dca, .dgs, .diz, .dne, .doc, .docm, .docx, .docxml, .docz, .dot, .dotm, .dotx, .dsv, .dvi, .dx, .eio, 
.eit, .email, .emlx, .epp, .err, .etf, .etx, .euc, .fadein, .faq, .fb2, .fbl, .fcf, .fdf, .fdr, .fds, .fdt, 
.fdx, .fdxt, .fes, .fft, flr, .fodt, .fountain, .gtp, .frt, .fwdn, .fxc, .gdoc, .gio, .gpn, .gsd, .gthr, .gv, 
.hbk, hht, .hs, .htc, .hwp, .hz, .idx, .iil, .ipf, .jarvis, .jis, .joe, .jp1, .jrtf, .kes, .klg, .knt, .kon, 
.kwd, .latex, .lbt, .lis, .lit, .lnt, .lp2, .lrc, .lst, .ltr, .ltx, .lue, .luf, .lwp, .lxfml, .lyt, .lyx, .man, 
.map, .mbox, .md5txt, .me, .mell, .min, .mnt, .msg, .mwp, .nfo, .njx, .notes, .now, .nwctxt, .nzb, .ocr, .odm, 
.odo, .odt, .ofl, .oft, .openbsd, .ort, .ott, .p7s, .pages, .pfs, .pfx, .pjt, .plantuml, .prt, .psw, .pu, .pvj, 
.pvm, .pwi, .pwr, .qdl, .rad, .readme, .rft, .ris, .rng, .rpt, .rst, .rt, .rtd, .rtf, .rtx, .run, .rzk, .rzn, 
.saf, .safetext, .sam, .scc, .scm, .scriv, .scrivx, .sct, .scw, .sdm, .sdoc, .sdw, .sgm, .sig, .skcard, .sla, 
.slagz, .sls, .smf, .sms, .ssa, .strings, .stw, .sty, .sub, .sxg, .sxw, .tab, .tdf, tex, text, .thp, .tlb, .tm, 
.tmv, .tmx, .tpc, .trelby, .tvj, .txt, .u3d, .u3i, .unauth, .unx, .uof, .uot, .upd, .utf8, .unity, .utxt, .vct, 
.vnt, .vw, .wbk, .wcf, .webdoc, .wgz, .wn, .wp, .wp4, .wp5, .wp6, .wp7, .wpa, .wpd, .wpl, .wps, .wpt, .wpw, 
.wri, .wsc, .wsd, .wsh, .wtx, .xbdoc, .xbplate, .xdl, .xlf, .xps, .xwp, .xy3, .xyp, .xyw, .ybk, .yml, .zabw, 
.zw, .2bp, .036, .3fr, .0411, .73i, .8xi, .9png, .abm, .afx, .agif, .agp, .aic, .albm, .apd, .apm, .apng, .aps, 
.apx, .art, .artwork, .arw, .asw, .avatar, .bay, .blkrt, .bm2, .bmp, .bmx, .bmz, .brk, .brn, .brt, .bss, .bti, 
.c4, .cal, .cals, .can, .cd5, .cdc, .cdg, .cimg, .cin, .cit, .colz, .cpc, .cpd, .cpg, .cps, .cpx, .cr2, .ct, 
.dc2, dcr, .dds, .dgt, .dib, .dicom, .djv, .djvu, .dm3, .dmi, .vue, .dpx, .wire, .drz, dt2, .dtw, .dvl, .ecw, 
.eip, .exr, .fal, .fax, .fpos, .fpx, .g3, .gcdp, .gfb, .gfie, .ggr, .gif, .gih, .gim, .gmbck, .gmspr, .spr, 
.scad, .gpd, .gro, .grob, .hdp, .hdr, .hpi, .i3d, .icn, .icon, .icpr, .iiq, .info, .int, .ipx, .itc2, .iwi, .j, 
.j2c, .j2k, .jas, .jb2, .jbig, jbig2, jbmp, .jbr, .jfif, .jia, .jng, .jp2, .jpe, .jpeg, .jpg, .jpg2, .jps, .jpx, 
.jtf, .jwl, .jxr, .kdc, .kdi, .kdk, .kic, .kpg, .lbm, .ljp, .mac, .mbm, .mef, .mnr, .mos, .mpf, .mpo, .mrxs, 
.myl, .ncr, .nct, .nlm, .nrw, .oc3, .oc4, .oc5, .oci, .omf, .oplc, .af2, .af3, .ai, .asy, .cdmm, .cdmt, .cdmtz, 
.cdmz, .cdt, .cgm, .cmx, .cnv, .csy, .cv5, .cvg, .cvi, .cvs, .cvx, .cwt, .cxf, .dcs, .ded, .design, .dhs, .dpp, 
.drw, .dxb, .dxf, .egc, .emf, .ep, .eps, .epsf, .fh10, .fh11, .fh3, fh4, fh5, .fh6, .fh7, .fh8, .fif, .fig, 
.fmv, .ft10, .ft11, .ft7, .ft8, .ft9, .ftn, .fxg, .gdraw, .gem, .glox, .hpg, .hpgl, .hpl, .idea, .igt, .igx, 
.imd, .vbox, .vdi, .ink, .lmk, .mgcb, .mgmf, .mgmt, .mt9, .mgmx, .mgtx, .mmat, .mat, .otg, .ovp, .ovr, .pcs, 
.pfd, .pfv, .pl, .plt, .pm, .vrml, .pmg, .pobj, .ps, .psid, .rdl, .scv, .sk1, .sk2, .slddrt, .snagitstamps, 
.snagstyles, .ssk, .stn, .svf, .svg, .svgz, .sxd, .tlc, .tne, .ufr, .vbr, .vec, .vml, .vsd, .vsdm, .vsdx, .vstm, 
.stm, .vstx, .wmf, .wpg, .vsm, .vault, .xar, .xmind, .xmmap, .yal, .orf, .ota, .oti, .ozb, .ozj, .ozt, .pal, 
.pano, .pap, .pbm, .pc1, .pc2, .pc3, .pcd, .pcx, .pdd, .pdn, .pe4, .pef, .pfi, .pgf, .pgm, .pi1, .pi2, .pi3, 
.pic, .pict, .pix, .pjpeg, .pjpg, .png, .pni, .pnm, .pntg, .pop, .pp4, .pp5, .ppm, .prw, .psd, .psdx, .pse, 
.psp, .pspbrush, .ptg, .ptx, .pvr, .px, .pxr, .pz3, .pza, .pzp, .pzs, .z3d, .qmg, .ras, .rcu, .rgb, .rgf, .ric, 
.riff, .rix, .rle, .rli, .rpf, .rri, .rs, .rsb, .rsr, .rw2, .rwl, .s2mv, .sai, .sci, .sep, .sfc, .sfera, .sfw, 
.skm, .sld, .sob, .spa, .spe, .sph, .spj, .spp, .sr2, .srw, .ste, .sumo, .sva, .save, .ssfn, .t2b, .tb0, .tbn, 
.tfc, .tg4, .thm, .thumb, .tif, .tiff, .tjp, .tm2, .tn, .tpi, .ufo, .uga, .usertile-ms, .vda, .vff, .vpe, .vst, 
.wb1, .wbc, .wbd, .wbm, .wbmp, .wbz, .wdp, .webp, .wpb, .wpe, .wvl, .x3f, .y, .ysp, .zif, .cdr4, .cdr6, .cdrw, 
.pdf, .pbd, .pbl, .ddoc, .css, .pptm, .raw, .cpt, .tga, .xpm, .ani, .flc, .fb3, .fli, .mng, .smil, .mobi, .swf, 
.html, .xls, .xlsx, .csv, .xlsm, .ods, .xhtm, .7z, .m2, .rb, .rar, .wmo, .mcmeta, .m4a, .itm, .vfs0, .indd, .sb, 
.mpqge, .fos, .p7c, .wmv, .mcgame, .db0, .p7b, .vdf, .DayZProfile, .p12, .d3dbsp, .ztmp, .rofl, .sc2save, .sis, 
.hkx, .pem, .dbfv, .sie, .sid, .bar, .crt, .sum, .ncf, .upk, .cer, .wb2, .ibank, .menu, .das, .der, .t13, 
.layout, .t12, .dmp, .litemod, .dxg, .qdf, .blob, .asset, xf, esm, forge, tax, .001, .r3d, .pst, .pkpass, .vtf, 
.bsa, .bc6, .dazip, .apk, .bc7, .fpk, .re4, .bkp, .mlx, .sav, .raf, .qic, .kf, .lbf, .bkf, .iwd, .slm, .xlk, 
.sidn, .vpk, .bik, .mrwref, .xlsb, .sidd, .tor, .epk, .mddata, .psk, .rgss3a, .itl, .rim, .pak, .w3x, .big, 
.icxs, .fsh, .unity3d, .hvpl, .ntl, .wotreplay, .crw, .hplg, .arch00, .xxx, .hkdb, .lvl, .desc, .mdbackup, .snx, 
.py, .srf, .odc, .syncdb, .cfr, .m3u, .gho, .ff, .odp, .cas, .vpp_pc, .js, .dng, .lrf, .c, .cpp, .cs, .h, .bat, 
.ps1, .php, .asp, .java, .jar, .class, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .indl, .indt, .indb, 
.inx, .idml, .pmd, .xqx, .fla, .as3, .as, .docb, .xlt, .xlm, .xltx, .xltm, .xla, .xlam, .xll, .xlw, .pot, .pps, 
.potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .aif, .iff, .m4u, .mid, .mpa, .ra, .3gp, .3g2, .asf, .asx, 
.vob, .m3u8, .mkv, .dat, .efx, .vcf, .xml, .ses, .zip, .7zip, .mp4, .3gp, .webm, .wmv

In each folder that a file is encrypted, the encryptor will also create a ransom note named HOW TO DECRYPT FILES.url, which when clicked on will open a video tutorial at the URL https://vid.me/embedded/CGyDc?autoplay=1&stats=1.

The ransom note says the following:

As you may have already noticed, all your important files are encrypted and you no 
longer have access to them. A unique key has been generated specifically for this 
PC and two very strong encryption algorithm was applied in that process. Original 
content of your files are wiped and overwritten with encrypted data so it cannot 
be recovered using any conventional data recovery tool. 

The good news is that there is still a chance to recover your files, you just need 
to have the right key.

To obtain the key, visit our website from the menu above. You have to be fast, 
after 96 hours the key will be blocked and all your files will remain permanently 
encrypted since no one will be able to recover them without the key!

Remember, do not try anything stupid, the program has several security measures to 
delete all your files and cause the damage to your PC.

To avoid any misunderstanding, please read Help section.

The encryptor will also create a file on the desktop called DECRYPTER.url, which launches the dec.exe file.

Finally, the enc.exe program will create a file called %UserProfile%\AppData\Roaming\Spider\5p1d3r and exit. When the dec.exe program detects that this file is created, it will display the decrypter GUI.

This GUI contains multiple tabs that allow you to switch the language between English and Croatian, display the TOR payment site located at http://spiderwjzbmsmu7y.onion, the victim's ID code that is needed to login to the TOR site, the decrypter, and a help file. The GUI also contains a contact email of file-spider@protonmail.ch.

When a user goes to the TOR site, they will be prompted to login using the victim ID found in the decryptor GUI.  Once logged in, they will be presented with a page that provides instructions on how to pay the ransom, which is currently .00726 bitcoins, or around $123.25, to get the files back.

Community content is available under CC-BY-SA unless otherwise noted.