This data-stealing Trojan is the first to also infect you with ransomware

Not content with stealing your bank details, Betabot will also infect your computer with Cerber ransomware too.
Written by Danny Palmer, Senior Writer

Cybercriminals: now they'll steal your data and bill you too.

Image: iStock

As if stealing your personal data wasn't bad enough, one form of Trojan malware has now become the first of its kind by also infecting victims with ransomware, forcing targets to pay to regain access to their computer as well as compromising their credentials.

Betabot, which steals banking information and passwords, has been around since March 2013. It disables antivirus and malware-scanning software on infected Windows machines before modifying them to steal users login credentials and financial data.

But now, according to cybersecurity researchers at Invincea, Betabot is "breaking new ground", becoming the first known weaponised password-stealing malware that also infects victims with ransomware in a second stage of attack.

Betabot -- which in many instances is still able to evade detection -- is installed using the Neutrino exploit kit, which uses infected documents disguised as CVs to ask the victim to enable macros. If they do, the malware is able to steal login data and passwords from web browsers.

With no further use for the infected endpoint, Betabot attacks generally ended there. Now, however, the Trojan downloads and installs the Cerber ransomware onto the victim's computer, demanding the user pays up in order to regain access to their compromised machine.

"This marks the first time that a weaponised document with password-stealing malware has called ransomware as a second-stage attack. This is an evolution in maximising the profits from an endpoint compromise, earning much larger payout by using multiple attack techniques," says Invincea cybersecurity researcher Pat Belcher.

People infected with Cerber ransomware are typically forced to pay a ransom of one Bitcoin -- the equivalent of around $570 -- in order to regain access to their files. Passwords stolen by Betabot could fetch $185 on the dark web, which means the ransom could be around three times more lucrative to hackers than the stolen data itself.

It's because ransomware is such an easy way to make money that this particular kind of cybercrime is booming. Not only that, but ransomware-as-a-service schemes are enabling even the most technically illiterate cybercriminal to extort payments from victims infected with data-encrypting malware -- with the original developers of the service also taking a significant chunk of the ill-gotten gains.

Ransomware represents a particular risk to organisations using old operating systems, such as hospitals, which still rely on bespoke software and old systems in order to run. That's why hospitals are increasingly being targeted in ransomware attacks.


Editorial standards