The previously undetected server-encrypting malware has been detailed in research by cyber security analysts at Intezer and IBM X-Force, who've named it PureLocker because it's written in the PureBasic programming language.
It's unusual for ransomware to be written in PureBasic, but it provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software written in this language. PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms.
"Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization," Michael Kajiloti, security researcher at Intezer told ZDNet.
The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the 'more_eggs' backdoor malware. This malware is sold on the dark web by what researchers describe as a 'veteran' provider of malicious services.
These tools have been used by some of the most prolific cyber criminal groups operating today, including Cobalt Gang and FIN6 -- and the ransomware shares code with previous campaigns by these hacking gangs. It indicates the PureLocker is designed for criminals who know what they're doing and know how to hit a large organisation where it hurts.
It's currently uncertain how exactly PureLocker is delivered to victims, but researchers note that more_eggs campaigns begin with phishing emails, so the ransomware attacks could begin in the same way, with the final payload likely to be the final part of a multi-staged attack.
Researchers say PureLocker campaign is still active and that it's important to ensure organisations have appropriate cyber security policies in place to protect against attacks.
"As with any malware threat, having good security infrastructure helps, but also educating employees about phishing is critical," Kajilot said." That means stepping them through new-school security awareness training.
Full Story at ZDNet: https://www.zdnet.com/article/this-unusual-new-ransomware-is-going-after-servers/