Security researchers have warned that a new strain of ransomware is being used to encrypt files on production servers in enterprises.
The malware, dubbed PureLocker, is written in the PureBasic programming language, noted Intezer researcher Michael Kajiloti. This makes it easy for cybercriminals to port the malware on to Windows, Linux, and MacOS platforms, he wrote.
By using code reuse analysis, researchers found that this threat is closely related to the "more_eggs" backdoor malware, which is sold on the dark web by a veteran MaaS provider and has been used by the Cobalt Gang, FIN6, and other threat groups.
The code has been undetected for over three weeks, which was quite rare, said researchers. It has evaded detection by pretending to be a C++ cryptography library called Crypto++. The malware is designed to be executed as a COM server DLL by regsrv32.exe, which will invoke the DllRegisterServer export, where the malware’s code resides.
The malware’s code begins by checking if it was executed as intended by the attackers, and that it’s not being analysed or debugged. If any of these checks fail, the malware will exit immediately, without deleting itself, likely as an anti-analysis method not to raise suspicion.
The ransomware uses a AES+RSA combination to encrypt files and adds the ".CR1" extension for each encrypted file. It encrypts mostly data files, skipping encryption for executable files according to the particular file’s extension. The ransomware then secure-deletes the original files in order to prevent recovery.
The malware leaves a not on the victim’s desktop in a file called YOUR_FILES.txt. The note does not ask for the payment type or for ransom amount, instead instructing the victim to contact the attacker via email using an anonymous and encrypted Proton email address.
Each sample uses a different email address, which might be how the attackers can link between different victims and their respective decryption keys, said researchers.
"This is further evidence that this threat is different from typical forms of ransomware," wrote said Kajiloti.
Instead of trying to infect as many victims as possible, the malware was designed to conceal its intentions and functionalities unless executed in the intended manner, he added.
"This approach has worked well for the attackers who have managed to successfully use it for targeted attacks, while remaining undetected for several months," he wrote.
The code of the evasion and anti-analysis functionalities described in this blog is directly copied from the "more_eggs" backdoor loader.
"Some of these duplicated features have allowed the ransomware to stay undetected by evading automated analysis systems. This provides an example of the importance of code reuse analysis for malware detection and classification. It twists the usage of any previously used code, even code for effective evasion and anti-analysis, into a reliable indicator for detection," said the researcher.