Few organizations in the U.S. and the UK have been targeted with the Prince ransomware in a phishing attack campaign involving the spoofing of UK postal service Royal Mail, reports The Record, a news site by cybersecurity firm Recorded Future.
Attackers purporting to be Royal Mail distributed malicious emails about a failed package delivery with a PDF attachment that included a link redirecting to a Dropbox-hosted ZIP file, which then facilitated the execution of Prince ransomware, according to a Proofpoint report. Additional analysis revealed the payload's lack of a decryption capability even if the ransom note claimed automated file decryption in exchange for $400 worth of cryptocurrency. "Based on the lack of a link to determine which user has paid to have their files decrypted, and which infected computer belongs to the user who paid, paired with the lack of communication instructions, this appears to be a destructive attack, with threat actors likely having no intention of decrypting any files, even if the victim paid. It is unclear whether this is a mistake by the threat actors or if the attack was deliberately designed to be destructive," said researchers.