HQ/EMEAFind out how we can help your business
A new ransomware campaign called ShadowRoot is an ongoing cybercriminal operation targeting various entities in Turkey.
Based on reports, these campaigns leverage phishing emails containing malicious PDF attachments disguised as invoices from a Russian domain.
Researchers explained that the attacks start with distributing seemingly valid invoices as PDF files through emails. In addition, these malicious PDFs within the phishing emails include a malicious link that, when accessed by a target, downloads an executable file from a compromised GitHub repository.
The ShadowRoot operators’ downloaded payload is a binary containing malicious components to conceal the attack.
Reports show that the ShadowRoot ransomware campaign uses a downloaded payload, a Delphi binary designed to include additional components that conceal its operations and avoid known cybersecurity solutions.
These components conclude in executing the primary ransomware payload, “RootDesign.exe,” which methodically encrypts files on the victim’s PC and appends the “.shadowroot” extension to each compromised file.
Subsequently, the campaign presents a ransom note in Turkish, asking victims to contact the threat actors via email for more instructions on ransom payment and decryption.
The ransomware also creates an SMTP command-and-control connection to smtp[.]mail[.]ru on port 587 and sends information to suspected email accounts connected with “kurumsal[.]tasilat @internet[.]ru”.
ShadowRoot appears to be a simple ransomware variant, which researchers believe was created by an amateur developer or wannabe hackers.
Despite its rudimentary capabilities, the ransomware efficiently targets Turkish enterprises by tricking them into downloading file payloads via bogus PDF bills. Encrypting files with the “.ShadowRoot” suffix and the link to a Russian SMTP server suggests a targeted and relatively sophisticated strategy.
Researchers advise enterprises to remain attentive and implement strong email security measures to reduce the danger of such ransomware attacks. Therefore, maintaining current security processes and training employees about phishing tactics are critical to protecting against possible breaches.
