Tuesday, May 20, 2025
HomeCyber Security NewsPrince Ransomware Hits UK and US via Royal Mail Phishing Scam

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

Published on

SIEM as a Service

Follow Us on Google News

A new ransomware campaign targeting individuals and organizations in the UK and the US has been identified.

The attack, known as the “Prince Ransomware,” utilizes a phishing scam that impersonates the British postal carrier Royal Mail.

This campaign highlights the growing sophistication of cyber threats and the need for heightened vigilance among internet users.

- Advertisement - Google News

The Attack Methodology

Researchers at Proofpoint first detected the Prince Ransomware campaign in mid-September.

The attack method is insidious, involving contact forms on target organizations’ websites rather than traditional email phishing methods.

This approach allows attackers to bypass some email security measures and reach multiple recipients within an organization. 

Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free

The attackers send messages that appear to originate from a Proton Mail address, masquerading as official communications from Royal Mail.

These messages contain a PDF attachment that directs victims to download a ZIP file from Dropbox.

This ZIP file contains another password-protected ZIP file and a text file with the password needed to open it. 

PDF containing a Dropbox URL.
PDF containing a Dropbox URL.

Once opened, the second ZIP file contains a shortcut (LNK) file that executes JavaScript code designed to deploy the ransomware.

The ransomware encrypts files on the victim’s computer, adding the “.womp” extension, and displays a ransom note demanding payment in Bitcoin for decryption.

Email lure impersonating Royal Mail
Email lure impersonating Royal Mail

A Destructive Outcome

This campaign lacks a decryption mechanism, unlike typical ransomware attacks, which aim to extort money in exchange for decrypting files.

The ransom note falsely claims that files have been exfiltrated and promises automatic decryption upon payment of 0.007 Bitcoins (approximately $400).

However, there is no capability for data exfiltration or victim identification, suggesting that even if victims pay, their files will remain inaccessible. 

The attack’s destructive nature raises questions about its motives. It is unclear whether the threat actors made a mistake or intentionally designed to disrupt without financial gain.

The lack of communication instructions supports the theory that decryption was never intended.

Implications and Preventive Measures

The Prince Ransomware campaign underscores the importance of cybersecurity awareness and preparedness.

Organizations are advised to educate their employees about recognizing phishing attempts and suspicious communications, especially those involving unexpected attachments or requests for sensitive information. 

Additionally, organizations should implement robust security measures such as multi-factor authentication, regular software updates, and comprehensive data backup strategies.

These steps can help mitigate the impact of ransomware attacks and ensure business continuity.

The open availability of Prince Ransomware on platforms like GitHub also highlights a broader issue within cybersecurity: the accessibility of malicious tools for educational purposes that threat actors can easily repurpose.

This calls for stricter regulations and monitoring of open-source repositories to prevent misuse.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

New Phishing Attack Poses as Zoom Meeting Invites to Steal Login Credentials

A newly identified phishing campaign is targeting unsuspecting users by masquerading as urgent Zoom...

New Hannibal Stealer Uses Stealth and Obfuscation to Evade Detection

A newly identified piece of malware, dubbed the "Hannibal Stealer," has emerged as a...

Chinese APT Hackers Target Organizations Using Korplug Loaders and Malicious USB Drives

Advanced persistent threat (APT) groups with ties to China have become persistent players in...

Cache Timing Techniques Used to Bypass Windows 11 KASLR and Reveal Kernel Base

Cache timing side-channel attacks have been used to circumvent Kernel Address Space Layout Randomization...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New Phishing Attack Poses as Zoom Meeting Invites to Steal Login Credentials

A newly identified phishing campaign is targeting unsuspecting users by masquerading as urgent Zoom...

New Hannibal Stealer Uses Stealth and Obfuscation to Evade Detection

A newly identified piece of malware, dubbed the "Hannibal Stealer," has emerged as a...

Chinese APT Hackers Target Organizations Using Korplug Loaders and Malicious USB Drives

Advanced persistent threat (APT) groups with ties to China have become persistent players in...