A newly observed piece of ransomware is being distributed via a Netflix login generator, Trend Micro security researchers warn.
Netflix is certainly a high-profile target for cybercriminals, given its subscriber base of 93 million users in more than 190 countries, and stolen credentials can be abused in various ways. Attackers often attempt to monetize compromised accounts by selling them on the dark web or by exploiting server vulnerabilities, but also for the distribution of Trojans to steal users’ financial and personal information.
The newest manner in which miscreants are leveraging stolen Netflix credentials is ransomware distribution, and the attack method is pretty straightforward. Interested parties are lured with free Netflix accounts via a login generator that has been packed with malicious code.
Detected as RANSOM_ NETIX.A, the ransomware is targeting Windows 7 and Windows 10 computers and terminates itself if it runs on a different platform variant. The login generator is a tool typically used in software and account membership piracy, which can be usually found on websites for cracked applications, Trend Micro explains.
When the user executes the Netflix login generator, the executable drops another copy of itself (netprotocol.exe) and executes. The program’s main window provides users with a button to generate logins, which displays another prompt window when clicked on. This second window supposedly presents the user with the login information of a genuine Netflix account.
However, these are fake prompts and windows, and the ransomware uses them to distract the user while it has already started to encrypt files in the background. The malware, security researchers say, targets 39 file types that could be found under the C:Users directory.
The ransomware uses AES-256 encryption and appends the .se extension to the affected files. After completing the encryption process, the malware displays ransom notes to the victim, demanding $100 worth of Bitcoin (0.18 BTC) from its victims.
The malware was also observed connecting to its command and control (C&C) servers to send and receive information (customizing the ID number, for instance) and to download the ransom notes. One of these notes is set as the wallpaper of the infected machine.
“Malefactors are diversifying the personal accounts they target. Phished Netflix accounts, for instance, are an attractive commodity because one can be used simultaneously by different IP addresses. In turn, the victim doesn’t immediately notice the fraud—as long as it’s not topping the device limit. This highlights the significance for end users to keep their subscription accounts safe from crooks,” Trend Micro notes.
This incident brings to the spotlight not only the importance of keeping good account security, to ensure one’s credentials don’t end up being used by malicious actors, but also the risks involved in pirating content. It’s not only the ransom amount that users should take into consideration when thinking about ransomware, but also the fact that there is a possibility that they might never get their files back, even if they pay.
“Bad guys need only hack a modicum of weakness for which no patch is available—the human psyche. Social engineering is a vital component in this scam, so users should be smarter: don’t download or click ads promising the impossible. If the deal sounds too good to be true, it usually is,” Trend Micro concludes.