Two types of malware, NemucodAES and Kovter, have been bundled together by hackers in email attachments and sent to victims via a spam campaign, according to a security researcher.
“Kovter is an older malware, but it's also an ongoing concern. Together, these two pieces of malware could deliver a nasty punch,” he said.
He added that the infected windows host opened a notification with the decryption instructions. Encrypted files retained their original file names (no added file extensions as we often see with other ransomware).
Duncan said he found found artifacts in the user's AppData\Local and AppData\Local\Temp directories.
“Some of these files are not inherently malicious. A legitimate PHP executable and DLL file were found in user's AppData\Local\Temp directory, along with the NemucodAES decryption instructions (an .hta file) and a Windows desktop background for the ransomware (a .bmp file),” said Duncan.
The ransom note demands 0.63778 Bitcoins in order to release the files. Duncan said that saw a “lot of post-infection events for Kovter command and control traffic. But I'm not certain click-fraud is involved anymore.”
Duncan said that with proper filtering, these emails are easily blocked. With proper network monitoring, traffic from an infection is easily detected.
“But some of these messages might slip past your filtering, and some people could possibly get infected. With the NemucodAES decryptor, people can recover their files, but I expect this ransomware will continue to evolve,” he warned.
Andy Norton, risk officer EMEA at SentinelOne, told SC Media UK that the two malwares are being packaged together as they offer the cyber-criminal gang different ways of making money.
“Nemucod tries to extract a Ransom, and Kovter has been associated with clickfraud and downloading other malware payloads,” he said.
He added that organisations can implement a threat agnostic defence that does not have bias in protection levels towards EXE based attacks, commenting, “Using behaviour modelling is the best way to reform the existing endlessly unsuccessful cat and mouse approach to enterprise security.”
Paul Ducklin, senior technologist at Sophos, told SC Media UK that malware is often seen hunting in pairs.
"If you think about it, ransomware is an ideal 'cover story' for more insidious malware variants such as keyloggers, bots and RATs (remote access Trojans). Ransomware is right-in-your-face; it advertises its presence even to the point of changing your wallpaper; and it demands immediate attention because it stops you getting on with your work. By the time you've dealt with it, you might be disinclined to dig any further to look for additional malware that isn't obvious at all,” he added.