Table of Contents

All About Spider Ransomware
Ransomware /

All About Spider Ransomware

Last year we witnessed many ransomware attacks targeting our devices in new and improved ways. With the beginning to new year it looks like this year, the attacks will only amplify in number as wells as impact. There is no stop to stop ransomware attacks, they are on rise and are becoming more sophisticated and effective with time.

Recent reports show that a new variant is added to the list targeting users from Balkan region. Dubbed as Spider Ransomware. The malware is launched via a fake Word document sent as an Email attachment with Bosnian subject line “Potraživanje Dugovanja”, translated as “Debt Collection” by Google Translator.

How Ransomware Spreads

Hackers are using the same old technique to spread the infection. They send a spam Email with a word document as attachment (BAYER_CROPSCIENCE_OFFICE_BEOGRAD_93876.doc) that asks user to enable macro.

How Ransomware Spreads

Once the macro is enabled by clicking on the “Enable Editing” button the malicious macro can run. It then downloads the malicious executables via PowerShell script that is Base64 encoded.

Also Read: Prevent yourself from Cyberbullying

When run two XOR encrypted .exe files are downloaded named ‘enc.exe’ and ‘dec.exe’.

How Ransomware Spreads 1

Embedded macro

These files are downloaded, saved and decrypted at ‘%AppData%\Spider’re location.

Working of Both Executable Files

Enc.exe scans the local drive, encrypts targeted file types with AES-128-bit encryption and renames the files to. spider extension.

After this, a file named HOW TO DECRYPT FILES.url is saved in any random encrypted folder. This aim of this URL is to play a video tutorial on how to decrypt the files. Finally, the exe creates another file named ‘%UserProfile%\AppData\Roaming\Spider\5p1d3r’ and deletes itself, to activate the second file exe file ‘dec.exe’.

Dec.exe this executable file creates an entry in Windows Registry to show the ransom note at startup. This note with help of a GUI shows how to make payment. The GUI is designed to help the user to make the payment easily. It provides step by step instructions as to how to get Bitcoins through Tor browser to make the payment.

Working of Both Executable Files

File Spider in action

User is then given a time limit of 96-hours to pay the ransom and decrypt the files. If he fails to do so all the files will be permanently blocked and decryption key will not work.

Also Read: Cyber Threats to Fear in 2018

There is bad news for those who have fallen victim to this attack, there is no other way to decrypt data at present. The only way is to pay ransom.

Common Practices to Stay Protected

To stay protected one should follow the following rules:

  1. Always scan documents and applications before uploading on cloud.
  2. Don’t allow anyone to take remote access of your device even if they claim to fix your system.
  3. Scan all attachments before downloading.
  4. Quarantine/block the threats or any application that seem to behave suspiciously.
  5. Block downloads from untrusted sources and add them to the block list.
  6. Take regular backup of data or setup an incremental backup on regular intervals.
  7. Enable “View known file extensions” option.
  8. Don’t run exe files received from unknown sources or as an attachment received in the Emails.
  9. Avoid opening untrusted attachments, irrespective of their extensions or filenames.
  10. Avoid executing/enabling unsigned macros.
  11. Use updated Antivirus and Firewall with maximum security.


Ransomware is advancing and it prevails to be an ongoing threat. It tops the threat charts as it helps cyber criminals to earn huge amount in short duration. Spider ransomware is a new entry into the field of ransomware, creating a web of attacks giving 96 hours to the victim to pay ransom.

Also Read: What Is Rootkit and How To Get Rid Of It?

As ransomware attacks are increasing companies and governments should take initiative to educate citizens and employees about the effect of ransomware and how to safeguard their data from such attacks. The first step towards is to take regular backup of important data. Plus, macros should be disabled and if they receive a document asking to enable macros received from unknown sources shouldn’t be entertained.  These steps will surely help them to stay one step ahead of the cyber criminals.

Leave a Reply

Your email address will not be published. Required fields are marked *