Sunday, September 8, 2024
HomeComputer SecurityPureLocker Ransomware Attack Enterprise Production Servers and Encrypt Files in Windows, Linux,...

PureLocker Ransomware Attack Enterprise Production Servers and Encrypt Files in Windows, Linux, & macOS

Published on

Researchers discovered a new PureLocker Ransomware that capable of encrypting files in Windows, Linux, and macOS. The ransomware used by threat actors to perform a targeted attack against production servers of the enterprise networks.

Code reuse analysis against Purelocker reveals that the ransomware related to the “more_eggs”,  a backdoor malware often used by Cobalt Gang, FIN6 threat actors and is sold in the dark web.

The ransomware is written in the PureBasic programming language and it is very difficult for AV vendor to write a signature for PureBasic binaries and is portable between Windows, Linux, and OS-X.

- Advertisement - EHA

PureLocker Ransomware mainly targeting both Windows and Linux infrastructure and the attackers using a lot more evasion techniques to fly under the radar and undetected the ransomware for several months.

PureLocker distributed as a Ransomware-as-a-Service Being Used in Targeted Attacks Against Enterprise Servers.

PureLocker Sample Analysis

A ransomware sample that compatible with Windows that posed as C++ cryptography library called Crypto++ and the researchers digging deeper and analyzed the sample and find the following keys.

1.There is no Crypto++ code connection here, meaning the sample is not a Crypto++ library.

2. The file contains reused code from several malware families, mainly from Cobalt Gang binaries. This means the file is malicious and may have relations to Cobalt Gang.

3. The majority of the relevant code in this file is unique, indicating that it’s likely a new or highly modified malware.

PureLocker Ransomware
PureLocker Ransomware

During the infection, the malware code starts checking to ensure that the file executed as expected by malware authors and the malware exit if it fails any one of these checks.

Once the malware executes its payload, then it deletes itself and also using the anti-analysis technique will never let rise suspicion.

According to Intezer research, In the event that all anti-analysis and integrity tests performed by the malware are satisfied, it proceeds to encrypt the files on the victim’s machine with the standard AES+RSA combination, using a hard-coded RSA key. 

After it completes the encryption process, The ransomware adds the “.CR1” extension for each encrypted file and delete the original file to prevent the recovery.

Later the Purelocker drops the ransom note file on the user’s desktop named YOUR_FILES(.)txt.

PureLocker Ransomware
Ransom Note

Ransom note doesn’t contain any payment information, instead, attacker request users to contact via email. for that, they are using anonymous and encrypted Proton email service.

“Since this is a RaaS, we believe this string is most likely the identifier of the group that is operating these specific samples,” Intezer said.

You can also read the complete Ransomware Attack Response and Mitigation Checklist.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Fog Ransomware Now Targeting the Financial Sector; Adlumin Thwarts Attack

The Fog Ransomware group, known for targeting education and recreation sectors, has expanded its...

Notorious Mallox Ransomware Evolved From Private Ransomware to RaaS

Mallox is a sophisticated ransomware that is known for its destructive capabilities and multi-extortion...

Head Mare Hacktivist Group Exploit WinRAR Vulnerability To Encrypt Windows And Linux

Head Mare, a Russian-focused hacktivist group, gained notoriety in 2023 by targeting organizations in...