Brand-new and Bizarre: AnteFrigus, PureLocker Ransomware Variants Emerge
Two new unusual ransomware families appeared in the wild this week. The AnteFrigus ransomware, discovered by exploit kit expert Mol69, is delivered via a Hookads malvertising campaign that aims to lure victims to the RIG exploit kit server and leaves off encrypting files in the C: drive. Meanwhile, the PureLocker ransomware (detected by Trend Micro as Ransom.Win32.PURELOCKER.A), discovered by malware analysis company Intezer and IBM X-Force, has been observed to use novel detection evasion techniques to launch targeted attacks against enterprise production servers .
Atypical of ransomware variants, AnteFrigus does not encrypt the C: drive of a victim’s computer, the computer’s local drive where users usually save personal files and documents — files that are typically what cybercriminals are interested in encrypting. It also does not encrypt files on unmapped network shares.
Instead, what the AnteFrigus ransomware variant encrypts are the files located in the D:, E:, F:, G:, H:, and I: drives.
Because of the peculiar nature of AnteFrigus, BleepingComputer surmised that it may be because it is a sophisticated threat that only targets certain computer drives that users normally use for network shares in enterprise environments. Security researcher Vitali Kremez, who was consulted by BleepingComputer, thinks otherwise and believes the variant might still be in the development phase.
BleepingComputer also ran their own test of AnteFrigus and observed that the cybercriminals behind this ransomware variant is demanding a ransom amount of US$1,995 in bitcoins, which doubles when it is not paid within four days and five hours.
The PureLocker ransomware, which can encrypt files on Windows, Linux, and Mac devices, has been observed to use AES and RSA algorithms. It leaves no recovery options for victims by deleting shadow copies of files and overwriting original files. It is also written in PureBasic programming language and masquerades as the Crypto++ cryptographic library, allowing it to evade sandbox detection.
Upon analysis, security researchers found that this particular ransomware variant has multiple checks in place to see if it’s being analyzed or debugged in a victim’s environment. If any check fails, PureLocker will exit without deleting itself so as not to raise any red flags within the system. If the environment passes all checks, it will execute its payload and delete itself immediately after.
According to Intezer and IBM X-Force security researchers, when they looked up a malicious PureLocker 32-DLL file posing as a Crypto++ library on VirusTotal, they saw that it managed to evade detection for more than three weeks.
Another notable thing about PureLocker is that it reuses some of its code from the “More_Eggs” JScript backdoor, which is associated with cybercriminal gangs Cobalt and Fin6. PureLocker-encrypted files have the .CR1 extension and the ransomware avoids encrypting executables.
Interestingly, the cybercriminals behind this ransomware does not indicate how much the ransom amount is for file decryption on the ransom note. Instead, they direct each victim to a unique Proton email address.
Defending against ransomware attacks
Ransomware has been on the rise once again — according to Trend Micro’s 2019 midyear security roundup, ransomware detections in the first half of the year were up 77% compared to the latter half of 2018. Additionally, threat actors are expanding their scope of operations, not just targeting individuals and businesses but seeking new victims as well — notably local governments that lack comprehensive security systems in place.
It is highly recommended that organizations across all sectors implement the following best practices to prevent ransomware from affecting their systems:
- Keep regular backups of files and data, while also regularly checking for their integrity.
- Ensure that systems, networks, servers, and applications are consistently updated and patched.
- Enforce the principle of least privilege to minimize the attack surface.
[Best Practices: Best security practices to defend against ransomware]
Organizations can also look into sourcing third-party incident response teams for their security needs. Trend Micro™ Managed XDR is one such service, offering a wider scope of visibility and expert security analytics by integrating detection and response functions across networks, endpoints, emails, servers, and cloud workloads. Using advanced analytics and artificial intelligence (AI) techniques, the MDR team monitors the organization’s IT infrastructure 24/7 to correlate and prioritize alerts according to its level of severity. Organizations can have access to experienced cybersecurity professionals who can expertly perform a root cause analysis to get an understanding of how attacks are initiated, how far they spread in the network, and what remediation steps need to be taken.
In addition, Trend Micro solutions such as the Smart Protection Suites and Worry-Free™ Business Security solutions, which have behavior monitoring capabilities, can protect users and businesses from these types of threats by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs. Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.