Prince Ransomware has been identified in a new campaign where cybercriminals imitate Royal Mail, a British postal service, to target victims in the United Kingdom and the United States. Researchers have discovered this malicious behaviour, highlighting the persistent threat of ransomware attacks on trustworthy systems.
The campaign took place in mid-September, with low-volume action affecting only a few businesses. Interestingly, most of the emails appeared to be sent using contact forms on the websites of the target businesses. This shows that the attackers targeted both direct emails and public contact forms.
Prince is a variant of ransomware that was made public on GitHub. Unlike many other types of ransomware, Prince is written entirely from scratch using the Go programming language.
Its primary objective is to render files unrecoverable using standard recovery tools, ensuring that the impacted files can only be accessed again by the authorised decryptor.
How Prince Ransomware Exploits Fake Royal Mail Invoices?
Researchers found that this campaign appeared to be only focused on destruction, lacking any tools for decrypting data or stealing it, in contrary to usual ransomware attacks that encrypt data and demand a payment.
Though it affected only a small number of individuals and companies, the campaign was notable for its use of emails with a unique PDF attachment, falsely claiming to be from Royal Mail. These emails informed recipients they needed to reschedule their delivery within 48 hours.
Royal Mail warned customers about deceptive SMS messages that attempted to deceive them into rebooking package delivery or resolving fake delays.
The attackers further urged that victims submit a printed invoice to the closest Royal Mail office, with the invoice purportedly attached. But in reality, this “invoice” was a malicious file that finally caused the Prince ransomware to download.
After being deployed, the ransomware claimed to have exfiltrated data and promised immediate recovery in exchange for a $400 bitcoin payment. Even when the ransom was paid, there was no such decryption key.
According to researchers:
Based on the lack of a link to determine which user has paid to have their files decrypted, and which infected computer belongs to the user who paid, paired with the lack of communication instructions, this appears to be a destructive attack, with threat actors likely having no intention of decrypting any files, even if the victim paid.
The low ransom sum and cryptic threats raise questions about intentions beyond money, maybe pointing to a plot to spread panic or divert attention from more important goals.
Businesses must be cautious when receiving emails, especially when it comes to clicking on links, in order to protect their company against such risks. Employees can be educated more aware of phishing techniques and trained to spot suspicious emails by putting in place comprehensive training programs.
Start your Phishing Tackle security awareness training today with our two-week free trial and empower your team to navigate emails safely while minimising risks. Consulting with Phishing Tackle can provide valuable insights and tools to help you strengthen your defences against phishing attacks.