Hackers pose as British postal carrier to deliver Prince ransomware in destructive campaign

Researchers have identified a new campaign in which hackers impersonated the British postal carrier Royal Mail to target victims in the U.S. and the U.K. with Prince ransomware.

The attacks, which occurred in mid-September, affected a small number of organizations, according to a report by cybersecurity firm Proofpoint.

Prince is a ransomware variant freely available on GitHub. According to previous research, Prince is written entirely from scratch in the Go programming language and is designed to make files unrecoverable by traditional tools, ensuring that only the designated decryptor can restore them.

Unlike most ransomware attacks, where hackers encrypt the victim’s data and demand a ransom, the goal of this campaign appeared to be destructive, as there were no decryption mechanisms or data exfiltration capabilities, researchers said. 

To gain access to their victims' systems, the hackers used malicious emails and public contact forms found on the target organizations’ websites. One phishing email analyzed by Proofpoint appeared to be sent by Royal Mail, alerting the recipient about an unsuccessful package delivery.

Postal services such as Royal Mail, UPS and FedEx are regularly impersonated by malicious actors. Customers often receive fraudulent phone calls, text messages, and emails that seem to be official communications but are actually scams.

Royal Mail, in particular, has warned about malicious text messages asking customers to rebook a package delivery, collect a parcel from the post office, or resolve alleged delays or unsuccessful deliveries.

In the latest campaign discovered by Proofpoint, the hackers attached PDF documents to their emails with a link that led to the download of a ZIP file hosted on Dropbox. The ZIP file contained another password-protected file, which executed the malicious code.

While encrypting files, the ransomware displayed a Windows update splash screen and added a ransom note to the desktop.

The note falsely claimed that files had been exfiltrated and promised automatic decryption if the victim paid $400 in cryptocurrency to a specified wallet. However, no such decryption capability existed.

“Based on the lack of a link to determine which user has paid to have their files decrypted, and which infected computer belongs to the user who paid, paired with the lack of communication instructions, this appears to be a destructive attack, with threat actors likely having no intention of decrypting any files, even if the victim paid,” researchers said.

“It is unclear whether this is a mistake by the threat actors or if the attack was deliberately designed to be destructive,” they added.

Proofpoint couldn’t attribute this activity to a known threat actor because the Prince ransomware is openly available on GitHub and can be used and modified by various hacker groups.