Home / Royal Mail / Royal Mail spoof used to distribute Prince ransomware in US, UK

Royal Mail spoof used to distribute Prince ransomware in US, UK

In a low-volume but notable campaign, cybercriminals have weaponised the freely available Prince ransomware, delivering it through impersonating Royal Mail messages. Researchers first identified the campaign in September 2024 and used contact forms on targeted organisations’ websites, primarily affecting the UK and the US.

While the activity impacted only a small number of organisations, it highlights a growing trend where threat actors expand beyond email as the primary attack vector.

The Prince ransomware, available on GitHub under the guise of an educational tool, was central to this attack. However, this variant deviated from typical ransomware campaigns in several ways. Notably, it lacked any decryption mechanism or data exfiltration capability, suggesting a primarily destructive intent.

Victims were left with encrypted files and ransom demands but no clear path to regain access to their data — even if they complied.

Researchers found that the attackers leveraged Proton Mail accounts to send Royal Mail-themed messages. These messages included PDF attachments designed to lure victims into downloading malicious ZIP files hosted on Dropbox. The multi-layered payload involved password-protected ZIP files that, once accessed, unleashed a series of obfuscated scripts.

Using PowerShell and JavaScrit, these scripts bypassed security measures such as Windows Defender through a chain of tasks, ultimately launching the Prince ransomware.

Royal Mail phishing messages. | Source: Proofpoint

The malicious code followed a complex process of obfuscation, PowerShell execution and registry manipulation. At the core, the ransomware encrypted victims’ files, added the ‘.womp’ extension, and issued a Windows Update splash screen to mislead users during the attack.

Despite a ransom note claiming files could be restored for 0.007 Bitcoins (around $400), the lack of unique identifiers between encryptions made it impossible for attackers to know who had paid. Researchers believe this is because the attack is meant to destroy and not encrypt data.

They also note that the attackers may have used a custom builder service, allowing for the dynamic construction of the ransomware’s detonation chain from the initial shortcut file to execution.

As of now, researchers couldn’t attribute this campaign to any threat actor. Using public contact forms as an attack vector, rather than email, signals a shift in how ransomware campaigns are conducted. This method allows threat actors to bypass traditional email filters and target organisations more effectively, sending malicious content to multiple recipients via website forms.

Researchers have urged organisations to remain vigilant, particularly regarding messages from unfamiliar Proton Mail accounts or those branded as Royal Mail, as they are commonly used in phishing scams.

In the News:Meta will share data with UK banks to tackle online fraud


Source link

About admin

Check Also

Royal Mail warns of £120 million cost increase due to National Insurance rise

Royal Mail has warned that it faces an additional £120 million in costs due to …

Leave a Reply

Your email address will not be published. Required fields are marked *