This devious ransomware is spreading through fake Tripadvisor complaints
Your restaurant isn’t getting suspended from TripAdvisor - it’s a ransomware scam
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Restaurant owners are being targeted by redesignedransomwarein a new campaign that impersonates TripAdvisor, experts have found.
Cybersecurity researchers from Sophos found a new phishing campaign in which victims are getting emails claiming to come from TripAdvisor and holding complaints from customers. The emails will try to deliver an attachment named “TripAdvisorComplaint.zip” which, if downloaded, will either hold an executable file called “TripAdvisor Complaint - Possible Suspension.exe”, or an HTML file of a similar name.
It’s business as usual for hackers distributingmalwarevia emails - the contents are meant to create a sense of urgency and disaster with the victim, so that they don’t act rationally and don’t think before downloading the files.
Paying with Bitcoin
Those that fall for the trap and run the HTML file will suffer a Browser-in-the-Browser type of attack, and will think their browser opened a window to TripAdvisor, where they can read the complaints submitted to their restaurant. The “Read complaint” button will download an Excel XLL file called “TripAdvisor_Complaint-Possible-Suspension.xll” which, in turn, runs the Knight Lite ransomware encryptor.
The encryptor does the usual - encrypts the file and leaves a ransom note, demanding $5,000 in Bitcoin in exchange for the decryption key. BleepingComputer says that multiple victims got the same Bitcoin address in their ransom note, which only adds further risk to the payment - there’s no way of proving who made the payment, and someone else can swoop in and claim the payment (and the decryption key) for themselves.
Ransomware is up significantly this year - is your business a prime target?>A shocking number of businesses aren’t getting their data back after a ransomware attack>Here are the best endpoint protection tools right now
The good news is that by press time - no one seems to have paid the ransom demand. The Bitcoin address - 14JJfrWQbud8c8KECHyc9jM6dammyjUb3Z - currently has no funds and nothing in the transaction history. The ransomware leak site is also empty, BleepingComputer found.
The Knight Lite ransomware encryptor is a rework of the Cyclops ransomware-as-a-service, which launched in May 2023 and rebranded a few months later. The encryptors are available for Windows, macOS, and Linux.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Google puts Nvidia on high alert as it showcases Trillium, its rival AI chip, while promising to bring H200 Tensor Core GPUs within days
A new form of macOS malware is being used by devious North Korean hackers
Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case
