Royal Mail impersonated in Prince ransomware campaign


Companies in the UK and the US have been targeted in a new campaign impersonating the British postal carrier Royal Mail to deliver ransomware that’s freely available on GitHub.

The campaign, discovered by cybersecurity firm Proofpoint in mid-September, was described as “low-volume” but potentially “destructive.”

While it affected only a small number of individuals and companies, the campaign used emails that contained a unique PDF attachment impersonating Royal Mail.

ADVERTISEMENT

The lure emails informed the potential victims that their delivery had to be rearranged within 48 hours. The recipients were urged to bring a printed invoice attached to the message to the nearest Royal Mail office.

The attached “invoice” was, in fact, a malicious file that eventually led to the download of Prince ransomware. According to Proofpoint, the ransomware is freely available to anyone on GitHub, a code repository.

The ransom note claimed that files were exfiltrated and that the threat actor would automatically decrypt all files if bitcoin worth roughly $400 was paid.

However, cybersecurity experts were left questioning the purpose of the attack.

“It appears there are no decryption mechanisms once files are encrypted, and there is no capability for data exfiltration, thus the ultimate outcome of the attack would be destructive rather than typical ransomware,” Proofpoint said.

“It is unclear if this is a mistake by the threat actor, or if the attack was designed to be destructive,” it said in a report detailing the campaign, adding that threat actors likely had no intention to decrypt any files even if the victim paid.

royal_mail_lure_1002
Email impersonating Royal Mail. Image by Proofpoint

Additionally, the threat actor did not exclusively target organizations via email directly but, in most cases, used public contact forms available on their websites to send messages, according to cybersecurity researchers.

ADVERTISEMENT

“Using contact forms to initially contact the recipient means the actors do not need to identify a contact email directly, and the email could be received by multiple different people who have access to a contact form recipient alias,” the report read.

This could include people who use work email addresses to receive mail forwarded from contact forms and websites that are unrelated to their job or employer.

According to Proofpoint, threat actors like TA578 have “consistently” used contact forms to deliver malware but it’s unclear who’s behind this most recent Royal Mail impersonation campaign.

“Because the ransomware is openly available on GitHub, it can be used and modified by various threat actors,” Proofpoint said.

The Prince ransomware account on GitHub strongly suggests that its creators can customize the malware to bypass security measures for money, according to the firm.

“Despite claims from the accounts’ creators that the malware should only be used for educational purposes, threat actors often use these tools in malicious campaigns,” Proofpoint said, noting that depositories like GitHub host a “variety” of hacking tools.

Royal Mail is frequently impersonated by threat actors and has a list of a number of “typical online scams to look out for” on its website, including different types of email campaigns.