Cyber Attackers Use Royal Mail Impersonation To Spread Ransomware

On Wednesday, Proofpoint researchers published a report uncovering a cyber campaign impersonating the British postal carrier, Royal Mail, to distribute Prince ransomware.

This ransomware variant, which is openly available on GitHub, carries a disclaimer stating it is intended solely for educational purposes. However, it has been weaponized in a targeted attack affecting organizations in both the UK and the U.S.

The Prince ransomware attack started with attackers impersonating Royal Mail, utilizing public contact forms on targeted organizations’ websites to send misleading emails. These emails contained a PDF that linked to a Dropbox-hosted ZIP file, luring victims into downloading it.

Inside the ZIP file was a second password-protected ZIP, along with a text file disclosing the password, which created a false sense of security for the victims.

Once opened, a shortcut file executed obfuscated JavaScript code that created several files in the system’s temporary directory. This code utilized PowerShell scripts to bypass security measures and establish persistence, running every 20 minutes while the computer was idle.

When the ransomware was executed, it encrypted victims’ files with a “.womp” extension and displayed a fake Windows Update splash screen to obscure its malicious activity.

A ransom note on the desktop demanded payment of 0.007 Bitcoins (around $400) for decryption. However, the analysis revealed that the ransomware had no decryption mechanism or data exfiltration capability, suggesting it was designed for destruction rather than profit.

Critically, there are no decryption mechanisms or capabilities for data exfiltration in this campaign, making it more destructive than typical ransomware. The lack of unique identifiers in the ransomware’s coding suggests that even if victims pay the ransom, there is no guarantee of file recovery.

Proofpoint did not attribute this malicious activity to any specific threat actor. The open-source nature of the Prince ransomware allows various actors to modify and deploy it freely. The creator, known as SecDbg, openly offers modifications for bypassing security measures, further complicating attribution efforts.

This incident underscores the evolving landscape of ransomware threats. Although such attacks typically do not originate directly from emails, the use of contact forms as a delivery method reflects a broader trend.

This is particularly concerning as postal services such as Royal Mail, UPS, and FedEx are regularly impersonated by malicious actors. Customers often receive fraudulent phone calls, text messages, and emails that seem to be official communications but are actually scams, as noted by The Record.

To help combat this issue, Royal Mail offers a useful list of common scams that exploit their brand.

Organizations are urged to train their employees to recognize suspicious communications and to report any anomalies to internal security teams. As cyber threats grow increasingly sophisticated, vigilance and education are key to preventing potential breaches.