Long gone are the days when all malware did was send you a silly message and shut down your device. These days, malware is big business, promising authors and actors thousands, even millions of dollars every year thanks to the valuable data they can snatch and sell during attacks.
A few years ago, a major evolution in malware brought us ransomware, which consist of programs that hide or encrypt data on a device and demand a ransom from users for the data’s safe return. As if that wasn’t frightening enough, ransomware has mutated again, producing a high number of distressing variations that users around the world need to watch out for.
PureLocker is a prime example of innovation in ransomware. For one, you should consider the language it is written in: PureBasic, which is what gives the malware its name. PureBasic is not a common programming language, like Java, Python or Ruby. However, by developing ransomware in this language, PureLocker’s authors gain a number of benefits, such as antivirus software’s difficulty in identifying malware signatures. Even better, Windows, Linux and OS-X read PureBasic code, meaning the ransomware can successfully target any of the big three operating systems.
Additionally, PureLocker coopts evasion techniques from other malware that is rarely found in ransomware. Typically, ransomware tries to be loud and proud, infecting as many victims as possible to maximize profits. However, PureLocker strives to stay undercover until it verifies certain facts about the devices, such as an up-to-date calendar and active admin rights. If any of its checks fails, PureLocker uninstalls itself and moves onto other victims; if they succeed, PureLocker encrypts copies of the files on the machine, deletes the originals to prevent recovery and erases evidence of itself, making it more difficult to trace.
Finally, PureLocker approaches the ransom aspect of ransomware strangely. Rather than demanding a clear sum and offering directions for payment, PureLocker instructs victims to send an email to an anonymous and encrypted Proton email address, which will trigger additional instructions. This indicates that PureLocker is likely being sold as a Malware-as-a-Service, with different attackers replying from different email addresses.
Currently, PureLocker is launching attacks against only Windows and Linux devices. As always, the best way to avoid ransomware is with impeccable cyber hygiene, but you should always try trustworthy ransomware removal tools before giving into the ransom.
In truth, the MedusaLocker isn’t as new and fascinating to infosec researchers as other malware — it operates largely as one would expect: first prepping the computer for encryption, shutting down security features that might interrupt its efforts, deleting any and all backup copies of files and then finally encrypting a selection of files. For the sake of speed and efficiency, MedusaLocker ignores a larger selection of file extensions, to include .exe, .dll, .sys and others, and the files it does encrypt, it renames with TV-themed extensions, like .breakingbad and .skynet.
How MedusaLocker differs from other ransomware is in its spread: Researchers aren’t certain how MedusaLocker is infecting new machines, which means it will be nearly impossible to control online, possibly proliferating more effectively than other ransomware attacks. To steer clear of MedusaLocker, you should have a strong internet security suite installed on every device and effective network security, as well.
Usually, ransomware targets a user’s personal files and documents, which are stored on the C: drive. By doing this, the attackers provoke an emotional response from victims, who frantically and instinctively try to get their personal files back as fast as possible, which often means paying the decryptor fee.
However, the new AnteFrigus ransomware doesn’t touch the C: drive. Instead, it goes after almost every other drive on the device: D:, E:, G:, H:, and I:. This might be a sophisticated attempt by malware creators to avoid harming home users and target enterprise networks, which tend to utilize these other drives for network sharing. Other infosec experts believe that this is a mistake by malware authors, who are still in the development phase for this ransomware.
In either case, AnteFrigus is just warming up, and the heat of its attacks will likely burn devices in 2020. The ransom for this attack is about US$1,995 in Bitcoin, which doubles after four days without payment. As yet, AnteFrigus only attacks Windows devices, but that could change as attackers tinker with the code in the coming months.
Even as other forms of attack prove wildly effective, ransomware remains a popular choice for enterprising hackers. By continuing to educate yourself on the ever-evolving style of ransomware attacks, you should be able to avoid infection — or at least avoid paying the ransom.