New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

New “PureLocker” Ransomware Targets Enterprise Servers

A new ransomware sample with very low anti-virus detections was recently discovered, according to researchers at IBM X-Force IRIS and Intezer.  The ransomware, dubbed “PureLocker” because it is written in the PureBasic programming language, has attributes that suggest it is designed for highly targeted, strategic attacks against servers.  The ransomware only runs if it has been executed as a DLL or OCX file from the command line via regsrv32.exe using particular command-line switches, suggesting that attackers plan to first gain remote access to a victim network and then deploy the ransomware strategically against a chosen target server, rather than randomly spreading it as widely as possible.  Although the PureBasic programming language allows the ransomware to be compiled for Windows, Linux and macOS targets, all of the PureLocker samples analyzed have targeted only Windows; it is possible that a Linux variant may be discovered in the future.  By analyzing portions of code in PureLocker and noting similarities with other malware samples, researchers believe it is likely that PureLocker shares a significant amount of code with the “more_eggs” malware, which is sold on the dark web by a threat actor who is believed to have provided malware as a service to two major cyber-criminal groups: FIN6 and Cobalt Gang.

Analyst Notes

Ransomware continues to be a major threat to businesses of all sizes. PureLocker represents a higher threat level than some other ransomware variants because of its very low detection by anti-virus solutions and the fact that it is deployed by threat actors who have already bypassed or evaded other defenses and gained remote access to a server to run commands at will. The best practice to defend against advanced threats is to implement a defense-in-depth strategy that includes not only anti-virus and firewalls, but also Managed Detection and Response (MDR) capabilities on workstations and servers. Security Operations Center analysts using MDR solutions can recognize early signs of attacker behaviors and put a stop to ransomware and other threats early in the lifecycle of an attack before the threat actors cause major damage.

Source: https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/