Earlier this month, security researchers stumbled upon a "Barack Obama's Everlasting Blue Blackmail Virus Ransomware", a new ransomware variant that only encrypted .exe files rather than user data files. The ransomware displayed a picture of the former US president on display screens, demanding payment of a ransom to have .exe files unlocked.
Another peculiarity about the ransomware was that it terminated processes associated with antivirus software including Kaspersky, McAfee and Rising Antivirus before scanning for .exe files on victims' computers.
The ransomware attracted the interest of security researchers at McAfee who decided to investigate whether it was the work of nation-state actors. While carrying out their research, the researchers observed the presence of a cryptocurrency coin mining component within the ransomware.
Even though the researchers weren't able to unearth enough evidence to confirm the identity of hackers behind the Barack Obama ransomware, they did note that hackers have been using the names of prominent politicians to enhance the reach of their operations.
For instance, they also found a Donald Trump ransomware as well as an Angela Merkel ransomware. While the former encrypted files using AES, the latter, formerly known as ChromeUpdater.exe, encrypted files using the .angelamerkel extension and demanded ransom payments in Euros. McAfee noted that the Donald Trump and Angela Merkel ransomware variants were 46 percent identical in code but did not share any code similarities with the Barack Obama ransomware.
"Although it would be simple to claim an increase in politically motivated ransomware, or rather ransomware that leverages the profiles of political figures, there is no significant evidence to suggest they are from the same threat actor. Equally, these campaigns might not even be ransomware, certainly in the case of the Obama campaign," the firm added.
Commenting on the investigation and subsequent findings of McAfee researchers, Raj Samani, chief scientist and fellow at McAfee, told SC Magazine UK that since most ransomware code packages are being sold on the dark web, it is difficult to determine whether the same threat actor is behind different pieces of ransomware.
He added that whether new ransomware variants are launched by the same threat actor or not, companies must do their due diligence and take urgent steps to ensure their systems are not infected by ransomware or other forms of malware.
"Companies should also be educating their user base in the best practice measures they can take in order to protect systems, make sure processes are in place to detect threats and correct these vulnerabilities accordingly. As many organisations and individuals embark on the journey to cloud transformation, it is particularly important to remain alert of these threats in order to avoid any unpleasant surprises planted by malicious agents which might exploit existing systems," he said.
The emergence of new ransomware variants that not only lock out employees from sensitive enterprise data but also inflict financial losses to organisations should cause concern among small and medium organisations who are often unable to gather enough resources to fund high-end cyber security solutions and are therefore more vulnerable than bigger enterprises.
Earlier this year, a study carried out by Webroot revealed that IT decision makers at UK SMBs considered ransomware as the number one threat to their businesses, ahead of phishing attacks, DDoS attacks, and other malware infections. The lack of continuous training was a major factor behind the fear as almost 4 in 5 IT decision makers said they weren't "completely ready to manage IT security and protect against threats".
"As our study shows, the rise of new attacks is leaving SMBs feeling unprepared," said Charlie Tomeo, vice president of worldwide business sales at Webroot.