Security researchers at IBM X-Force and Intezer have identified a new form of ransomware that is being used in targeted attacks on enterprise servers. The new threat has been called PureLocker as it has been written in PureBasic, which is unusual for ransomware. PureLocker represents a serious threat, especially since signature-based security solutions struggle to detect malware written in PureBasic.
Researchers at Intezer note that in the three weeks since the ransomware was first detected, virtually none of the AV engines on VirusTital are identifying the ransomware as malicious. The ransomware has been executed in several different sandboxes and displayed no malicious or suspicious behaviors.
The ransomware can be used to attack different operating systems – Windows, OS-X, and Linux – and by targeting servers, the attackers can inflict a considerable amount of pain. By encrypting databases and applications that are critical for day-to-day business operations they can cause massive financial losses, which makes payment of the ransom much more likely.
It is unclear at this stage how many enterprises have been attacked with PureLocker ransomware. The researchers have confirmed that the ransomware campaign is being offered as-a-service, that it has been linked to several highly active and advanced cybercriminal operations, and that the ransomware is being used in real world attacks.
The researchers have analyzed the malware and note that it shares some of its source code with the more_eggs backdoor. That malware variant is being sold on darknet marketplaces by a long-time provider of malware-as-a-service. Cybercriminal gangs known to have used more_eggs include the Cobalt Gang and FIN6 – Advanced threat actors that conduct sophisticated attacks on large enterprises.
It is likely that PureLocker ransomware will be used by similar threat actors who are experienced at attacking large enterprises, rather than the low-level affiliates associated with many other ransomware- and malware-as-a-service offerings.
As is typical with ransomware variants used in attacks on large enterprises, contact must be made with the attackers to discover how much is required for the keys to unlock encrypted servers. It is not known how much the attackers are charging, although based on past ransomware campaigns on enterprises it is likely to be tens of thousands to hundreds of thousands.
It is unclear how the ransomware is being distributed. There has been a tendency for ransomware to be distributed through attacks on RDP rather than via malicious emails, although the researchers point out email is the attack vector most commonly used to distribute the more_eggs backdoor and email may well be the main method of distribution for PureLocker ransomware, albeit through a multi-stage process.