Like we don’t have enough ransomware floating around destroying international businesses. Enter two new ransomware forms. Two newly discovered forms of ransomware with quite different characteristics show just how diverse the world of ransomware has become as more cybercriminals attempt to join in with the ‘cyber extortion’ game. Both forms of ransomware emerged last month and described by cybersecurity researchers as AlumniLocker and Humble, with the two versions attempting to extort a Bitcoin ransom in different ways.
AlumniLocker is a variant of Thanos ransomware and immediately stands out for demanding payment of 10 Bitcoins from the infected victim, an equivalent to around $450,000. The ransomware is delivered to victims via a malicious PDF attachment claiming to be an invoice that is distributed in phishing emails. The PDF contains a link that will extract a ZIP archive which runs a PowerShell script to drop the payload and execute the ransomware. Like an increasing number of ransomware campaigns, the attackers controlling AlumniLocker threaten to publish data stolen from the network of their victim if they are not paid within 48 hours, though some security professional speculates that since the ransom demand is so large, victims may decide it is too much to pay. The ambitious ransom demand and other inconsistencies in their attack techniques, including how the data leak site does not actually work, could indicate that those behind AlumniLocker are probably just starting with this new tool.
Humble ransomware also first appeared during February 2021 but is considerably different in many ways. The ransomware is much smaller, demanding just 0.0002 Bitcoins, currently just under $10, for the return of files, indicating that Humble might be targeting individuals rather than organizations. It is currently not known how specifically Humble is delivered, but researchers note that it is likely to be via phishing attacks. To push victims towards paying the ransom, Humble threatens the victim by stating that if they restart their system, the Master Boot Record (MBR) will be rewritten, rendering the machine unusable. The second version of Humble carries the same threat but instead says this will happen if the victim does not pay after five days. Humble is unusual for ransomware in being compiled with an executable wrapper (Bat2Exe) in a batch file. Interestingly uses Discord, a voice, text, and video communications service popular among gamers. Discord then sends reports back to its author. Both forms of new ransomware are unusual, but both demonstrate that ransomware continues to be appealing to cybercriminals who see how the top gangs are making so much money and want to do the same. Organizations can help protect themselves from ransomware attacks with cybersecurity procedures including applying patches and using multi-factor authentication.
Some researchers theorize phishing campaigns be better checked due to the recent SolarWinds hack, combined with the current US president's heightened focus on cybersecurity. Experts agree that this will result in higher cyber vigilance within government agencies, and that is good.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/3702558539639477516
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Comments