File Spider ransomware demands to pay the ransom within 96 hours

New File Spider ransomware has emerged on the cyberspace

File Spider ransomware gives 96 hours to pay the ransom

The security experts have recently spotted a new ransomware-type virus called File Spider[1]. It aims to reach the computers of people located in the Balkan region, including Croatia, Herzegovina, Bosnia, Serbia, etc.

The simplified steps which File Spider ransomware overcomes starts from reaching the targeted systems as an infected Office Word document via the malspam campaign[2]. Once the user opens it, the PowerShell command drops two executable files of the virus — dec.exe and enc.exe.

Afterward, Spider ransomware starts data encryption, appends .spider extension, and opens File Spider [] window which serves as a ransom note. The developers of the malicious program demand to pay the ransom within 96 hour period or the decryption key will be deleted.

To make sure that the victims will have all the necessary information to make the payment quickly, hackers even created a video tutorial on how to recover encrypted files and uploaded it to The link to the video is indicated in the ransom note as hxxp://spiderwjzbmsmu7y.onion.

However, cybersecurity specialists remind you never to agree to follow the rules of the attackers. They are not trustworthy and may take advantage of their power to increase the amount of the ransom once you decide to pay. Likewise, remove File Spider virus and head to the alternative data recovery methods.

The detailed analysis of ransomware peculiarities

The victims receive an email with the subject line Potrazivanje dugovanja which means Debt Collection in English[3]. The letter contains an Office Word document written in Bosnian language and hides an obfuscated macro code inside. If the victim opens the report, the malicious script launches Windows PowerShell.

Afterward, PowerShell downloads the payloads of the File Spider ransomware which are Base64 encoded on the free JavaScript hosting website — Once the download is finished, the ASCII string is decoded. Additionally, the task management framework uses AleberTI key in XOR operation to decrypt the final payloads and store them inside the executable files.

Those two executables are designed for different purposes. While enc.exe is used for data encryption, dec.exe displays the ransom note which encourages to make the payment to recover the corrupted information. The executables are stored in %APPDATA% /Spider directory on the victimized computer.

The Netskope researcher, Amit Malik, noted that[4]:

Spider ransomware decryptor monitors the system processes and prevents opening of windows utility tools like taskmgr, procexp, msconfig, regedit, cmd, outlook, winword, excel, and msaccess.

Likewise, it blocks the computer system to make sure that the malicious processes won't be stopped or interrupted.

Initials give the allusion to the developers of Spider virus

During the analysis, experts have spotted a signature file which is named 5p1d3r in the Spider folder. Even though it might seem that the document is useless, it contains K.T.N Cr3w initials. Malware analysts suggest that this might be the linkage to the malevolent people who have developed File Spider.

Note that new ransomware attacks might emerge on the cyberspace any minute. To protect your computers from the malicious programs like Spider ransomware, Netskope experts advise the users to do the following[5]:

Regularly back up and turn on versioning for critical content in cloud services, enable the “View known file extensions” option on Windows machines and avoid executing any file unless they are very sure that they are benign.

Additionally, we want to remind you to use a professional security software and make sure that it is regularly updated. Criminals often use exploit kits to detect system vulnerabilities and take advantage of them when infiltrating ransomware-type programs.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions