Last week, Intezer and IBM X-Force released new research identifying a new form of ransomware, which they named PureLocker. Written in PureBasic and designed to attack servers, this damaging new malware has been described as Malware-as-a-Service in a recent ZDNet article.
In their own blog post announcing the discovery, Intezer analysts said that they discovered similarities with the “more_eggs” backdoor malware that we identified in August. You may recall that more_eggs is frequently used by the Cobalt Gang, FIN6, and other large cybercrime organizations.
The PureLocker ransomware is designed to lock up servers using a private key, and then display a message demanding that the victim contact an email address to negotiate payment. According to ZDNet reporting, victims have seven days to provide the ransom or the hackers delete the private key to render the files irretrievable.
Intezer, in their detailed malware analysis, writes that legacy antivirus solutions “have trouble generating reliable detection signatures for PureBasic binaries. In addition, PureBasic code is portable between Windows, Linux, and OS-X, making targeting different platforms easier.”
PureLocker’s use on servers means it’s designed to strike at the most critical pieces of corporate infrastructure. Ransoms for locked-up servers easily run into the hundreds of thousands, and the use of PureLocker by sophisticated cybercrime groups means this is likely their goal.
"Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization," Michael Kajiloti, security researcher at Intezer, told ZDNet.
We don’t know yet how many organizations have been impacted by PureLocker, but Intezer noted that the malware has remained undetected for more than three weeks -- rare for a malicious file.
According to Intezer, the malware is part of a targeted attack chain and leverages several evasion and anti-analysis techniques to avoid detection. If it’s allowed to run, PureLocker encrypts all of the victim’s data files with the AES+RSA cryptographic algorithms. Victims are then told to email a ProtonMail address so they can be told the ransom amount.
We’ve confirmed that Morphisec’s Server Protector prevents this new PureLocker malware from executing. It does this without prior knowledge of the malware because our Moving Target Defense solution doesn’t rely on digital signatures. This is especially crucial in this case, given that antivirus software tends to have issues tracking problems within PureBasic binaries.
We’re proud that customers leveraging Morphisec’s threat prevention platform for their servers are protected from this damaging new attack. The PureLocker campaign is still ongoing, and difficulties with legacy AV picking up on this attack could mean we see more victims before the campaign is done. Morphisec’s customers can rest easy though, knowing that they’re protected from this and other advanced threats.