HerbaLife Scam: Emails Disguised As Invoices Contain Ransomware

A new, widespread ransomware attack has started spreading through emails with malicious attachments—including some disguised to look like they came from multi-level marketing nutrition company Herbalife—is hitting millions of inboxes around the world.

The campaign was first spotted by cybersecurity firm Barracuda Labs on Tuesday, at which point the attack had been delivered about 20 million times over the course of a 24 hour period. Since then, the campaign has continued at rate of about two million attacks per hour.

The attack has been impressively prolific since it launched earlier this week. Barracuda has identified at least 8,000 different versions of the virus script so far, suggesting the attackers are randomizing parts of the attack in order to avoid detection from anti-virus tools.

While the origins of the attack are still unknown, Barracuda did note that the largest volume of the emails appeared to come from Vietnam, with other significant sources of the attack including India, Columbia, Turkey and Greece.

According to Barracuda, the payload files delivered by the malicious emails and the domains used to host the secondary payloads downloaded onto a victim’s computer have also changed multiple times since the start of the attack.

Potential victims may see any number of variants of the attack, though a common version of the malicious email has contained branding from Herbalife, a popular nutritional supplement and personal care product provider.

The email claims to contain an attachment that is an invoice for an order placed through the company. If a person downloads and opens the file, it will launch the ransomware installer hidden in the document.

Other variants of the email that have appeared claim to be a delivery of a “copier” file or contain a paragraph of legalese that make it appear as though the email is some sort of official or legitimate document.

The messages often come from a spoofed domain, making it appear as though it is from a person within the same organization as the target or from another trusted source—an increasingly popular technique for tricking people into clicking on malicious links, though one that could be avoided with the proper protocols like DMARC implemented by organizations.

While the campaign is currently targeting organizations and businesses, it isn’t believed to be from a state-sponsored actor and the motivations appear to be primarily financial, as is often the case with widespread ransomware attacks.

While victims may be tempted to pay the ransom when their computer is infected and their files are made inaccessible by the attack, they are advised not to do so. This is generally the best practice but applies to this attack in particular, as Barracuda noted that victims who pay will not have their files unlocked.

“Barracuda researchers have confirmed that this attack is using a Locky variant with a single identifier. The identifier allows the attacker to identify the victim so that when the victim pays the ransom, the attacker can send that victim the decryptor,” the researchers explained in a blog post. “In this attack, all victims get the same identifier, which means that victims who pay the ransom will not get a decryptor because it will be impossible for the criminal to identify them.”

Barracuda also noted the campaign is checking the language files on a victim’s computer, suggesting it may may lead to an international version of the attack in the future.