Phishing campaigns are retrieving their payload binaries from a single domain that's known to deliver Sage ransomware and Locky ransomware.
As of this writing, Sage comes in two versions. Researchers at SANS Internet Storm Center spotted the ransomware's most recent iteration sharing a malspam campaign with Cerber. Sage 2.0 infects a user's machine, encrypts their files, and demands 2,000 USD in ransom after users fall for the attack by running a .JS file or enabling malicious macros in a Word Document.
Sage's campaign that began on 26 January retrieves its payload binary from affections[.]top. This is the same domain from which attackers retrieved Locky ransomware on 30 January. Like Sage, Locky doesn't always operate alone. At one time, it shared a distribution channel with the Kovter ad fraud trojan.
Researchers at information security firm PhishMe feels the distribution of Sage and Locky from affections[.]top is significant. As they explain in a blog post:
"This overlapping infrastructure is a curious link between these two ransomware varieties and serves as a reminder of how malware support and distribution infrastructure is frequently reused. The distribution of Locky and Sage from this singular location also indicates that threat actors are leveraging new ransomware varieties such as Sage while continuing to use the reliable standby tools like Locky. This also provides evidence of the commodity status for ransomware tools like these. The similarity in delivery attributes and infrastructure is ultimately used in the distribution of distinct malware varieties with equal effectiveness for both."
To defend against these threats, organizations should block affections[.]top. They should also train their employees to be on the lookout for phishing emails. They can do so via the use of third-party security awareness training software.
Does this solution sound of interest to your organization?