The Blank Slate spam operation has shifted from spreading the BTCware ransomware to spreading GlobeImposter ransomware version that adds the .crypt extension. This spam campaign is known as Blank Slate because all spam emails lack contents in the message body and also have blank subject lines.
At the same time, all emails include ZIP archive attachments named using the simple format: EMAIL_(Random Numbers)_(Recipient Name).ZIP.
If victims open this ZIP file they will find another ZIP file inside called like: (Random Numbers).ZIP. This second ZIP file then carries a random named dubious JS script. So names development will looks like this: EMAIl_372616_legaldept.zip > 372616.ZIP > sdeSh.js.
Once launched, the JS script will contact a special website controlled by criminals and download an executable file named 1.dat.
A remarkable feature of the most recent downloaded virus executable is that it signed by the Thawte Certificate Authority.
When the .dat file is downloaded, it will run and install any payload malware authors believe suitable. Most recently the installed virus is a GlobeImposter ransomware variant that adds .crypt extension to locked files.
While encrypting data files this virus is presenting a ransom note called !back_files!.html in all folders on the victim’s machine. In the ransom note hackers instruct their victims to send messages to contact [email protected] to get further payment instructions.