Serpent ransomware is the newest cyberthreat. Security researchers have uncovered that the ransomware, believed to be a variant of the HadesLocker, is currently being distributed via spam emails. The ransomware also comes with a dedicated "Help & Support" section for its victims.
According to Proofpoint researchers, the ransomware was first discovered on 7 February and was being distributed via emails containing links to malicious Microsoft Office documents. Serpent is currently believed to be targeting Danish victims. The Office document contains malicious macros, which when opened and enabled, starts infecting a victim's system.
Unlike other "homegrown" malware variants, Serpent, according to the researchers has been "carefully developed". Cybercriminals behind Serpent have also created dedicated "FAQ" and "Help & Support" sections, which provide victims with the ability to contact the ransomware operatorsand provide detailed instructions on how to decrypt and pay the demanded ransom.
Serpent's authors are currently demanding .75 bitcoins ($730, £585) as ransom. However, the amount goes up to 2.25 bitcoins if victims fail to pay up within a week.
Proofpoint further points out that Serpent shares several similarities with HadesLocker, "specifically in the Command and Control (C&C) protocol, ransom note, and distribution techniques". Researchers also uncovered that the ransomware does not encrypt victims' data, in the event that the victims' device is not online and cannot connect to its C&C (command and control) server.
According to a report by Bleeping Computer, security researchers from the MalwareHunterTeam were able to get their hands on Serpent's source code, which also revealed that the ransomware collects geographical data and if it discovers that a victim's system is from either Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, or Tajikistan then it does not encrypt files.
The ransomware also comes with a dedicated payment site, which provides victims with specific notes containing their device's unique hardward ID and other instructions on how to go about making the payments. The ransomware's FAQ site also contains information for victims on ransom payment and how files have been encrypted.
Unfortunately, there is currently no way for infected victims to regain their stolen data without paying cybercriminals the demanded ransom.
Proofpoint researchers noted, "While the distribution of Serpent is currently at a lower scale than that of Cerber, Sage 2.0, and others, it has the potential to become another player in the game of widely distributed ransomware. With Serpent, we continue to see distribution tricks such as download links to malicious documents in emails, rather than just document attachments."