Threat Watch

Ransomware with No Known Decryptor Discovered

The Data Security Council of India (DSCI) released an advisory about file-locking malware likely spreading through spam emails, phishing, and malicious URLs. Researchers have dubbed the ransomware Alkhal, and says it locks files in affected systems and creates two ransom notes, ReadMe.txt and ReadMe.bmp, which are identical in nature. The DSCI did not disclose details on the origin of the ransomware or the threat actor(s) behind it, but said the infection occurs through peer-to-peer networks and third-party downloaders.

Researchers at Cyclonis say the Trojan adds a ‘.alkhak’ suffix to all locked files and changes the desktop wallpaper to display the instructions on how to pay the ransom with the file ‘Recovery.bmp’. Experts at EnigmaSoft say that Alkhal does not change the names of the encrypted files, differing greatly from other ransomware.

No tools are available to restore encrypted files, which means the decryption key can only be obtained from the ransomware operators. The ransom note also mentions that the victim will receive information on the vulnerability used to access the victim’s data and instructions on how to patch it if the victim pays the ransom. It also claims that the ransom operators will recommend “special software that makes the most problems to hackers”.

ANALYST NOTES

To protect against ransomware attacks, companies should regularly back up data and password protect backup copies offline. Installing patches as soon as they are available can ensure that groups such as this will not have the chance to exploit vulnerabilities and eventually lock files. Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Implement security event monitoring on employee workstations and servers. Using a service such as Binary Defense’s Managed Detection and Response that looks for attacks being carried out through behavior-based detection and stops them through 24/7 Security Operations, is highly recommended for all organizations.

https://www.inforisktoday.com/new-file-locking-malware-no-known-decryptor-found-a-17673?&web_view=true