This unusual new ransomware is going after servers

PureLocker ransomware appears to have links to some of the most prolific cyber-criminal operations active in the world today.
Written by Danny Palmer, Senior Writer

An unconventional form of ransomwareis being deployed in targeted attacks against enterprise servers – and it appears to have links to some of the most notorious cyber-criminal groups around.

The previously undetected server-encrypting malware has been detailed in research by cybersecurity analysts at Intezer and IBM X-Force, who've named it PureLocker because it's written in the PureBasic programming language.

It's unusual for ransomware to be written in PureBasic, but it provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software written in this language. PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

In this case, attacks are being launched against servers, with the aim of holding them hostage and only returning them to operation after a cryptocurrency ransom has been paid. Ransomware attacks against servers often lead to demands for payments of hundreds of thousands of dollars in exchange for decrypting the systems, and can be accompanied by a threat to destroy the data if the ransom isn't paid.

"Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization," Michael Kajiloti, security researcher at Intezer, told ZDNet.

There's currently no figures on the number of PureLocker victims, but Intezer and IBM X-Force have confirmed the ransomware campaign is active with the ransomware being offered to attackers 'as-a-service'.

However, it's also believed than rather than being offered to anyone who wants it, the service is offered as a bespoke tool, only available to cyber-criminal operations that can afford to pay a significant sum in the first place.

"It's probably rather expensive and somewhat exclusive due to the fact that there are relatively few actors using the specific malware-as-a-service and the level of sophistication of its offering," said Kajiloti.

The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the 'more_eggs' backdoor malware. This malware is sold on the dark web by what researchers describe as a 'veteran' provider of malicious services.

These tools have been used by some of the most prolific cyber-criminal groups operating today, including Cobalt Gang and FIN6 -- and the ransomware shares code with previous campaigns by these hacking gangs. It indicates that PureLocker is designed for criminals who know what they're doing and know how to hit a large organisation where it hurts.

It's currently uncertain how exactly PureLocker is delivered to victims, but researchers note that more_eggs campaigns begin with phishing emails, so the ransomware attacks could begin in the same way, with the final payload likely to be the final part of a multi-staged attack.

SEE: Ransomware: 11 steps you should take to protect against disaster

Those who become infected with PureLocker ransomware are presented with a ransom note telling the victim that they need to contact an email address to negotiate a fee for decrypting the files. The user is also warned that they only have seven days to pay the ransom and that if they don't the private key will be deleted, meaning the files can't be recovered.

Researchers say the PureLocker campaign is still active and that it's important to ensure organisations have appropriate cybersecurity policies in place to protect against attacks.

"As with any malware threat, having good security infrastructure helps, but also educating employees about phishing is critical," Kajilot said.


Editorial standards