Hackers are packing new spam campaigns with "rotating" ransomware strains which could leave victims having to pay twice, security experts have warned.
Ransomware is a particularly nasty form of malicious computer software which locks down computer files and demands cryptocurrency for them to be returned. Two strains, known as Locky and FakeGlobe, are currently being doubled up to cause maximum damage.
In a report, published 18 September, researchers from Japanese security company Trend Micro said that recent campaigns have impacted up to 70 countries.
In one spam email campaign in early September, both strains were being distributed however the payload was intentionally programmed to change regularly.
As a result, clicking on a booby-trapped link would deliver Locky one hour and then FakeGlobe the next.
Upon analysis, Trend Micro concluded that this tactic made "re-infection" a very real possibility.
"Typically [in the past] the malware were different types, pairing information stealers and banking Trojans with ransomware," the researchers' blog post stated.
"Now we see that cybercriminals are simply doubling up on ransomware, which is quite dangerous for users.
"Since Locky and FakeGlobe are being pushed alternately, files can be re-encrypted with a different ransomware. Victims will have to pay twice or worse, lose their data permanently."
Both pieces of software are relatively new on the scene, but have become effective tools in a hacker's arsenal. Locky emerged in February 2016 and went on to infect businesses, schools and hospitals. FakeGlobe surfaced in June this year and was posing in fake invoices.
Between 4-5 September this year, Trend Micro was forced to block more than 290,000 spam emails that were being spewed out to dozens of countries including the US, China and Germany.
The messages had links and attachments disguised as invoices and bills. They were sent purposefully during work hours to increase the chance of victims' clicking. The massive campaign had a .doc file packaged with a malicious macro – what experts called a "widely-used tactic."
Sender IP addresses were later tracked to India, Vietnam and Iran.
"A total of 185 different countries were involved in spreading these two samples, which gives us an idea of the distribution channel's size," Trend Micro said after analysing multiple malware samples, adding that evidence indicated both strains were sent from the same source.