Kworld Trend / Purelocker a multi-os ransomware targeting servers readerheart, in 2019, the emergence of ransomware is still in full swing. Since the beginning of the year, a wide range of companies and organizations have suffered from this type of malware: local governments, manufacturers, hospitals, producers, and critical infrastructure.
While we know who the victims of these ransomware attacks are, more often than not. The strain of malware used in the incidents remains unknown. Some exceptions include RobbinHood, the ransomware used in Baltimore. Which was discovered after several months of boasting about its success. Or LockerGoga, the ransomware that forced Norsk Hydro to jailbreak 22,000 computers in 40 countries.
Purelocker is a cross-platform ransomware that targets reader servers
Researchers discovered ransomware encrypted in PureBasic, hence the name PureLocker. It is capable of encrypting files on Windows, Linux and Mac OS X and is specifically targeted at production servers.
PureLocker ransomware has several distinct characteristics that show the sophisticated efforts of cybercriminals. This ransomware, discovered by teams from Intezer and IBM’s Iris X-Force. Which has been used in targeted attacks against production Windows and Linux servers. Among the strange things about PureLocker, the researchers found that it is written in PureBasic, an uncommon programming language. “This unusual option has advantages for attackers,” experts explain, adding that “antivirus vendors are struggling to create reliable discovery signatures for PureBasic binaries. In addition, PureBasic code is portable across Windows, Linux, and Mac OS X, Which makes it easier to target different platforms.”
Another unusual feature of PureLocker is its ability to evade link blocking technology by downloading a copy of the DLL “NTDLL.DLL” and manually modifying the API addresses. Calling through these APIs allows antiviruses to know which function called the program, when, and with what parameters.
A ransom demand will be sent via email from Proton
Another point, malware requests a command-line utility under Windows, called regsrv32.exe, to silently install PureLocker components without opening a dialog box. Then the latter checks if regsrv32.exe has been executed and the file extension is .DLL or .OCX. It also checks for the current year on the device (in this case 2019) and whether the compromised PC has administrator rights. If any of these checks fail, PureLocker stops all activities. Experts note that “this kind of behavior is not uncommon among ransomware programs that prefer to infect as many victims as possible in the hope of getting as much profit as possible.”
If the checks are successful, PureLocker encrypts the files with a combination of the AES + RSA standard, using a hard-coded RSA key. It adds the .CR1 extension to each encrypted file. Before disappearing, the ransomware leaves a note for the user (see image below), but this message is again quite bizarre. There is no amount of cryptocurrency to recover the locked files, but the message asks victims to send an email to a secure Proton email address.
The note asks the victim to send Proton emails
In their analysis, the researchers noted that PureLocker used snippets of known malware such as “more_eggs” sold on the dark web. Specialists point out that cybercriminal groups such as Cobalt Group or FIN6 use this type of code.
PureLocker: a new ransomware with unusual methods
We have now seen another type of ransomware threat organization all over the world. PureLocker is a piece of ransomware that is used in targeted attacks against company servers, and appears to have links with notorious cybercriminal groups.
This malware, which encrypts its victims’ servers in order to demand ransom, was analyzed by researchers at Intezer and IBM X-Force. They called it PureLocker because it is written in the PureBasic programming language. This language choice is unusual, but provides attackers with several advantages, such as the fact that cybersecurity providers often struggle to generate trustworthy discovery signatures for malware written in this language. PureBasic can also be easily ported. Between Windows, Linux, and OX-X operating systems, greatly facilitating attacks on other platforms.
Servers in firing line
Choosing to target servers may be a way of trying to extract larger sums from their victims. Attacks on servers often result in ransom demands of hundreds of thousands of euros. This is because organizations tend to store their most important data on servers and are therefore more willing to pay higher amounts to recover this critical information.
Although there is no data on the number of victims claimed by this ransomware. Security researchers have confirmed that this is an active campaign. Furthermore, it appears that PureLocker is being offered as a service . It is believed. That “ransomware as a service” is offered exclusively. That to cybercriminal organizations who are able to pay a high price.
According to Michael Cagilotti, security researcher at Intezer, “It’s potentially fairly expensive and somewhat exclusive given the relatively few actors that use specific malware-as-a-service and the level of sophistication it provides.” Purelocker a multi-os ransomware targeting servers readerheart
Exclusive tailgate
PureLocker’s source code provides some evidence of its exclusive nature, such as the fact that it contains strings of “more_eggs” malware backdoors, which are sold by “veteran” malware service providers. Some of the most notorious cybercriminal groups are currently using these tools, including the Cobalt Gang and FIN6 , and it appears that PureLocker is sharing some code with campaigns previously implemented by these groups. This indicates that PureLocker is designed for criminals who know what they are doing and are capable of attacking large companies.
PureLocker victims receive a ransom note telling them to contact an email address where they can negotiate payment to decrypt their files. He also tells them that they have only seven days to pay. If they fail to meet this deadline. The decryption key will be erased. Purelocker a multi-os ransomware targeting servers readerheart
Protect yourself from advanced attacks
Cybersecurity researchers who analyzed this ransomware are still not sure how it delivered to victims. However, more_eggs attacks start with phishing emails. The similarities between this malware and PureLocker indicate that it is possible for this ransomware to start in the same way.
Since no one knows exactly how it gets into its victims’ servers, the only way to protect against PureLocker is to use a no- trust approach to ensure that no door is left open for cybercrime. And attachments from unknown senders should never be opened.
Another must have is that every company is an advanced cyber security solution. Panda Adaptive Defense constantly monitors. Every operation performed on enterprise systems. If it detects any suspicious or unknown process. It immediately blocks it and stops it from running until it is completely sure that it is trustworthy.
Moreover, Panda Adaptive Defense does not rely on signatures. This means that even if a piece of malware contains mechanisms. To impede the generation of detection signatures, as is the case with PureLocker. Our advanced cybersecurity solution is able to detect and block the threat.
This PureLocker campaign is currently active. Because of the tricks it uses. It can pose a huge risk to information stored in a wide range of companies. Don’t become the next victim of PureLocker, protect yourself with Panda Security. Purelocker a multi-os ransomware targeting servers readerheart
