Unusual New 'PureLocker' Ransomware Is Going After Servers (zdnet.com) 22
Researchers at Intezer and IBM X-Force have detected an unconventional form of ransomware that's being deployed in targeted attacks against enterprise servers. They're calling it PureLocker because it's written in the PureBasic programming language. ZDNet reports: It's unusual for ransomware to be written in PureBasic, but it provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software written in this language. PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms. "Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization," Michael Kajiloti, security researcher at Intezer told ZDNet.
There's currently no figures on the number PureLocker victims, but Intezer and IBM X-Force have confirmed the ransomware campaign is active with the ransomware being offered to attackers 'as-a-service.' However, it's also believed than rather than being offered to anyone who wants it, the service is offered as a bespoke tool, only available to cyber criminal operations which can afford to pay a significant sum in the first place. The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the 'more_eggs' backdoor malware. This malware is sold on the dark web by what researchers describe as a 'veteran' provider of malicious services. These tools have been used by some of the most prolific cyber criminal groups operating today, including Cobalt Gang and FIN6 -- and the ransomware shares code with previous campaigns by these hacking gangs. It indicates the PureLocker is designed for criminals who know what they're doing and know how to hit a large organization where it hurts.
There's currently no figures on the number PureLocker victims, but Intezer and IBM X-Force have confirmed the ransomware campaign is active with the ransomware being offered to attackers 'as-a-service.' However, it's also believed than rather than being offered to anyone who wants it, the service is offered as a bespoke tool, only available to cyber criminal operations which can afford to pay a significant sum in the first place. The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the 'more_eggs' backdoor malware. This malware is sold on the dark web by what researchers describe as a 'veteran' provider of malicious services. These tools have been used by some of the most prolific cyber criminal groups operating today, including Cobalt Gang and FIN6 -- and the ransomware shares code with previous campaigns by these hacking gangs. It indicates the PureLocker is designed for criminals who know what they're doing and know how to hit a large organization where it hurts.
so stupid. (Score:3)
If these clowns were any good at programming then they could easily identify databases that contain corporate financial information and simply buy and transmit money without human interaction. I feel like cyber criminals aren't really trying anymore.
Re: (Score:1)
... identify databases that contain corporate financial information and simply buy and transmit money without human interaction.
Could you expand upon this a bit further?
Re: (Score:2)
Could you expand upon this a bit further?
If the malware is looking for specific data to hold it ransom, it would probably be worth more to "other interested parties" then simply aiming for a short payoff.
Re: (Score:2)
Could you expand upon this a bit further?
If the malware is looking for specific data to hold it ransom, it would probably be worth more to "other interested parties" then simply aiming for a short payoff.
So "other interested parties" paying to know that you can never unlock your data? Or selling the data to a third party? Locking a system down with encryption is different than extracting data.
Maybe the OP is saying that hackers have gotten lazy because they haven't developed malware that will lock you out of your data, siphon it off to remote storage locker, then offer it up for sale on the dark web. Either you pay to unlock and de-list it or a third party buys it first. tick tick tick tick
Re: (Score:3)
2FA (Score:3, Funny)
The folks running these servers should use 2FA. So hot right now.
Re: (Score:2)
Re: (Score:3)
PureBASIC (Score:1, Informative)
...PureBasic [...] provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software...
Why is PureBasic (any BASIC?) harder to "generate reliable detection signatures" for?
Does that mean its harder to hash the binaries?
Does the executable modify itself at Runtime somehow (in memory and/or storage)?
Thanks.
Re: (Score:3)
Re: (Score:3)
This is wild speculation but its based on some real world experience with various interpreted languages as developer and EDR software as an administrator on windows.
Most EDR stuff including Microsoft's own stuff is really really brain dead. Its looking for either hashes or strings of known bad stuff, or doing some sorta scoring based on what API calls it sees a binary or script doing. The hackers cracking out exploits in python or powershell more often than not can dodge a signature check by just changing
Re: PureBASIC (Score:1)
Re: (Score:1)
Re: (Score:2)
no, it's because it's an interpreted language. The "compiled" code consists of an EXE stub that calls into a runtime and the tokenized vers
there was often information about attacks (Score:1)
Cross platform? (Score:2)
PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms
Are they talking a single binary? Or are they saying the compiler can target any of the three platforms? Or that the compiler runs on any of the three platforms?
Re: (Score:1)
Re: Cross platform? (Score:1)
Unconventional form of ransomware (Score:1)