SANS ISC shares update on a highly effective ransomware attack reported back in March 2017. It is being massively spammed with blank email message with a zip archive attachment.  It is still going strong and attachment is highly convincing in some cases, so users should continue to keep AV ramped up & avoid all email & websites of a suspicious origin.

https://isc.sans.edu/forums/diary/Catching+up+with+Blank+Slate+a+malspam+campaign+still+going+strong/22570/

https://blogs.msmvps.com/harrywaldron/2017/03/22/ransomware-blank-slate-uses-blank-spam-email-message-with-zip-attachment/

Blank Slate is the nickname for a malicious spam (malspam) campaign pushing ransomware targeting Windows hosts.  I’ve already discussed this campaign in a previous diary back in March 2017.  It has consistently sent out malspam since then.

Normally, emails from this campaign are blank messages with vague subject lines and attachments that don’t indicate what it is.  That’s why I’ve been calling it the “Blank Slate” campaign. Today’s Blank Slate malspam was pushing Cerber and GlobeImposter ransomware.

As I noted last time, potential victims must open the zip attachment, open the enclosed zip archive, then double-click the final .js file.  That works on default Windows configurations, but properly-administered Windows hosts and decent email filtering are enough, I think, to keep most people from worrying about Blank Slate. I still wonder how many people are fooled by Blank Slate malspam.