The National CERT of the Republic of Serbia (SRB-CERT) is informing and warning all computer and mobile device users on the propagation of the new ransomware named Spider.
The Spider malware was detected on December 10. 2017, and it is assumed it belongs to the "File-Spider" type. This type of malware encrypts all files stored on the computer or mobile device so that they cannot be opened. It prevents the user from using the computer or accessing certain files unless he pays a ransom, and thus buys the decryption keys.
The malware comes from the e-mail address email@example.com. All messages received so far were written in Serbian language and titled "Debt Claim– ХХХХХХХ'' (''Potraživanje dugovanja – ХХХХХХХ'' in Serbian), and signed by a fictitious debt collector Ivan Azeljković. The message text indicates the enforcement of a specific Belgrade Basic Court decision, providing the account number for paying the prescribed amount. It also explains that, since the given information is private, the attached Microsoft Word file had to be created. The receiver is finally instructed to click on "Enable Editing" and then on "Enable Content" on the ribbon.
Information about this type of malware can be found on social networks, pointing to the Balkan region, which is correct, since the same attacks have been executed in the Republic of Srpska and Bosnia and Herzegovina.
SRB-CERT advises all users not to open the attachment from the said e-mail and to create backup copies of all important computer and mobile device files on a regular basis.
If the computer has already been infected, the recommended procedure is as follows:
- remove the infected device from the network,
- inform the National CERT of the Republic of Serbia about the incident, via e-mail address firstname.lastname@example.org,
- DO NOT pay a ransom, since there is no guarantee that you will receive the decryption keys and be able to restore the infected files.