Being infected by one form of ransomware is bad enough, but those unfortunate to fall victim to a new cybercriminal campaign could find themselves having to pay to decrypt their files not once, but twice.
While a widespread email spam campaign with the intention of distributing ransomware isn't anything new, those behind a scheme detected during September have added a twist to this tried and testing technique: rotating the ransomware payload.
The two forms of ransomware distributed by this scheme are Locky - which has recently seen something of resurgence - and FakeGlobe, which first appeared in June. Those behind the campaign have designed it so the payload can be swapped, meaning the spam email might deliver Locky one hour then FakeGlobe the next.
Uncovered by cyber security researchers at Trend Micro, the nature of the campaign means it's possible for victims infected by one form of ransomware to still be vulnerable to a further attack from the next one in the rotation.
While it isn't the first time the same malicious servers has been seen to serve different malware in rotation - attackers have previously paired the likes of Trojans with ransomware - doubling up on ransomware was previously uncommon, but this new development is dangerous for victims who could give in and pay a ransom, only to find that they become infected again.
Hundreds of thousands of phishing emails disguised as bills and online invoices were distributed to potential victims around the world, encouraging the target to click on a link to view a bill.
That link contains a zip file which, once opened, runs a script to connect to a URL for downloading the ransomware payload - Locky or FakeGlobe.
Researchers believe that the payload changes every few hours, meaning that it's possible for one computer on a network to become infected with ransomware - and give into the ransom demand - before someone else on the network manages to fall victim to the other ransomware a few hours later.
"Since Locky and FakeGlobe are being pushed alternately, files can be re-encrypted with a different ransomware. Victims will have to pay twice or worse, lose their data permanently," said Trend Micro researchers.
While exact figures for the number of infections by this campaign aren't known, it's thought that using this distribution method to deliver ransomware in rotation has infected users in more than 70 countries, including Japan, China, the United States and Germany.
This latest development is stark reminders that while it's already a successful enterprise for criminals, ransomware is always evolving.
Since the campaign, Locky itself has evolved once again, with a researcher at Stormshield uncovering a new variant of the ransomware, Ykcol, which represents a reverse spelling of Locky. Previous new variants which have appeared in recent times include Diablo and Lukitus.
READ MORE ON CYBER CRIME
- Locky ransomware: How this malware menace evolved in just 12 months
- Ransomware shuts down 1 in 5 small businesses after it hits [CNET]
- What is phishing? How to protect yourself from scam emails and more
- Massive Locky ransomware campaign sends 23M messages in 24 hours [TechRepublic]
- After WannaCry, ransomware will get worse before it gets better