Ransomware is a highly destructive family of malware, which is designed to hold the victim hostage to get desired files restored.  A highly effective spamming technique used by malware designers to send out a blank spam email message with malicious zip attachment.  This is called the “Blank Slate” attack and is circulating extensively in the wild.


In recent months, we’ve been tracking a malicious spam (malspam) campaign using emails with no message content and an attached zip archive to spread ransomware. We’ve nicknamed this campaign “Blank Slate” because the malspam messages are blank with nothing to explain the malicious attachments.

Last month, we published a blog  that discussed farming Microsoft Word documents in AutoFocus associated with the Blank Slate campaign. It revealed more than 500 domains were used. These malicious domains were quickly taken offline, but Blank Slate actors quickly registered new ones, revealing a cycle of abuse towards legitimate hosting providers.

Today’s blog describes the delivery, exploitation, and installation components of this attacker’s playbook, and it explores the cycle of abuse criminals follow against legitimate hosting providers to host ransomware associated with these infections.