Unusual ‘PureLocker’ Ransomware is Attacking Enterprise Servers

Top 10 Best Malware Removal Tools For Windows

Cyber-security researchers at Intezer Labs and IBM X-Force have discovered an unusual ransomware that’s reportedly being used for targeted attacks against enterprise servers. Named PureLocker because its written in PureBasic, the malware has apparently been traced back to a well-known Malware-as-a-Service (MaaS) provider utilized by the Cobalt Gang and FIN6 attack groups.

According to the official blog post from Intezer Labs malware researcher, Michael Kajiloti, code reuse analysis shows that the malware is closely related to the ‘more_eggs’ backdoor malware, which is sold on the dark web and has been used by multiple threat actors already. As per the report, the attack is targeted at both Windows and Lixus servers, but the malware has evaded detection for weeks by copying some of the code from the aforementioned backdoor.

As mentioned already, the ransomware is written in the PureBasic programming language, which makes it a rather uncommon phenomenon in the malware domain. However, according to Kajiloti, the unusual choice poses advantages for the attacker, because “AV vendors have trouble generating reliable detection signatures for PureBasic binaries”. In addition, PureBasic code is portable between Windows, Linux, and OS-X (macOS), making it easier to target different platforms.

It’s not immediately clear as to how exactly the malware is being delivered to victims, but systems infected with it are receiving ransom notes that contain an email address to negotiate a fee for decrypting the files. The victims are apparently also being told that they have only seven days to pay the ransom, failing which, the private key will be deleted, rendering the locked files unrecoverable.

Intezer Labs has published a detailed, technical post about the malware and its MO, and you can access all that info via the link above.

comment Comments 0
Leave a Reply