Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Databases Encryption Privacy Security

Unusual New 'PureLocker' Ransomware Is Going After Servers (zdnet.com) 22

Posted by BeauHD from the hitting-them-where-it-hurts dept.
Researchers at Intezer and IBM X-Force have detected an unconventional form of ransomware that's being deployed in targeted attacks against enterprise servers. They're calling it PureLocker because it's written in the PureBasic programming language. ZDNet reports: It's unusual for ransomware to be written in PureBasic, but it provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software written in this language. PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms. "Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization," Michael Kajiloti, security researcher at Intezer told ZDNet.

There's currently no figures on the number PureLocker victims, but Intezer and IBM X-Force have confirmed the ransomware campaign is active with the ransomware being offered to attackers 'as-a-service.' However, it's also believed than rather than being offered to anyone who wants it, the service is offered as a bespoke tool, only available to cyber criminal operations which can afford to pay a significant sum in the first place. The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the 'more_eggs' backdoor malware. This malware is sold on the dark web by what researchers describe as a 'veteran' provider of malicious services. These tools have been used by some of the most prolific cyber criminal groups operating today, including Cobalt Gang and FIN6 -- and the ransomware shares code with previous campaigns by these hacking gangs. It indicates the PureLocker is designed for criminals who know what they're doing and know how to hit a large organization where it hurts.
This discussion has been archived. No new comments can be posted.

Unusual New 'PureLocker' Ransomware Is Going After Servers More

Unusual New 'PureLocker' Ransomware Is Going After Servers

Comments Filter:

  • so stupid. (Score:3)

    by Gravis Zero ( 934156 ) on Tuesday November 12, 2019 @08:35PM (#59408732)

    If these clowns were any good at programming then they could easily identify databases that contain corporate financial information and simply buy and transmit money without human interaction. I feel like cyber criminals aren't really trying anymore.

    • ... identify databases that contain corporate financial information and simply buy and transmit money without human interaction.

      Could you expand upon this a bit further?

      • Re: (Score:2)

        by Mashiki ( 184564 )

        Could you expand upon this a bit further?

        If the malware is looking for specific data to hold it ransom, it would probably be worth more to "other interested parties" then simply aiming for a short payoff.

        • Could you expand upon this a bit further?

          If the malware is looking for specific data to hold it ransom, it would probably be worth more to "other interested parties" then simply aiming for a short payoff.

          So "other interested parties" paying to know that you can never unlock your data? Or selling the data to a third party? Locking a system down with encryption is different than extracting data.

          Maybe the OP is saying that hackers have gotten lazy because they haven't developed malware that will lock you out of your data, siphon it off to remote storage locker, then offer it up for sale on the dark web. Either you pay to unlock and de-list it or a third party buys it first. tick tick tick tick

    • Re: (Score:3)

      by EvilSS ( 557649 )
      True, but their method doesn't require data exfiltration, which might be possible to catch and stop. And it doesn't require finding a buyer for the information. Quick and easy with low risk.

  • 2FA (Score:3, Funny)

    by quonset ( 4839537 ) on Tuesday November 12, 2019 @09:06PM (#59408780)

    The folks running these servers should use 2FA. So hot right now.

    • They already do. The second factor is the ransomware.

    • Re: (Score:3)

      by EvilSS ( 557649 )
      They may already be doing that. Ransomware doesn't require compromising credentials. It relies on poor data control and stupid users. The person who brings the ransomware into the environment has already authenticated. The ransomware runs under the user's credentials then spreads internally. You can have the best locks in the world, but if a user opens the door and invites the bad guys into the building, they won't do much good.

  • PureBASIC (Score:1, Informative)

    by XArtur0 ( 5079833 )

    ...PureBasic [...] provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software...

    Why is PureBasic (any BASIC?) harder to "generate reliable detection signatures" for?
    Does that mean its harder to hash the binaries?
    Does the executable modify itself at Runtime somehow (in memory and/or storage)?

    Thanks.

    • I have no idea, but I looked at some example PureBASIC code when this article hit and it definitely isnt a "pure BASIC" .. nor does it seem to be a traditional "evolved" structured BASIC like QB/TB/VB .. some strange stuff happening in there.

    • Re: (Score:3)

      by DarkOx ( 621550 )

      This is wild speculation but its based on some real world experience with various interpreted languages as developer and EDR software as an administrator on windows.

      Most EDR stuff including Microsoft's own stuff is really really brain dead. Its looking for either hashes or strings of known bad stuff, or doing some sorta scoring based on what API calls it sees a binary or script doing. The hackers cracking out exploits in python or powershell more often than not can dodge a signature check by just changing

      • No, Purebasic is an actual compiler, not an interpreted language. Source code is translated into assembly code which is then compiled into native executables.
    • Guessing that because PureBasic code is compiled directly to "highly optimized" assembly and doesn't rely on any particular run-time (such as vc/vc++/.net/etc) they can't use their lazy hash & grep methods.

    • Re: (Score:2)

      by tlhIngan ( 30335 )

      ...PureBasic [...] provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software...

      Why is PureBasic (any BASIC?) harder to "generate reliable detection signatures" for?
      Does that mean its harder to hash the binaries?
      Does the executable modify itself at Runtime somehow (in memory and/or storage)?

      no, it's because it's an interpreted language. The "compiled" code consists of an EXE stub that calls into a runtime and the tokenized vers

  • unfortunately, there was often information about attacks on corporate servers. The question is how strong is the protection of the company's software. Now one of the most effective methods is the use of blockchain technologies. About software with a good degree of protection, you can read the https://light-it.net/ [light-it.net]. LightIt actively uses blockchain technology in its development.

  • PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms

    Are they talking a single binary? Or are they saying the compiler can target any of the three platforms? Or that the compiler runs on any of the three platforms?

  • What was the name of the Operating System this unconventional form of ransomware ran on and how did the malware initially compromise the servers?

Slashdot Top Deals

news: gotcha

Close