Unusual ‘PureLocker’ Ransomware is Attacking Enterprise Servers
Nov. 13, 2019According to theofficial blog postfrom Intezer Labs malware researcher, Michael Kajiloti, code reuse analysis shows that the malware is closely related to the ‘more_eggs’ backdoor malware, which is sold on the dark web and has been used by multiple threat actors already. As per the report, the attack is targeted at both Windows and Lixus servers, but the malware has evaded detection for weeks by copying some of the code from the aforementioned backdoor.
As mentioned already, the ransomware is written in the PureBasic programming language, which makes it a rather uncommon phenomenon in the malware domain. However, according to Kajiloti, the unusual choice poses advantages for the attacker, because“AV vendors have trouble generating reliable detection signatures for PureBasic binaries”. In addition, PureBasic code is portable between Windows, Linux, and OS-X (macOS), making it easier to target different platforms.
It’s not immediately clear as to how exactly the malware is being delivered to victims, but systems infected with it are receiving ransom notes that contain an email address to negotiate a fee for decrypting the files. The victims are apparently also being told that they have only seven days to pay the ransom, failing which, the private key will be deleted, rendering the locked files unrecoverable.
Intezer Labs has published a detailed, technical post about the malware and its MO, and you can access all that info via the link above.
Passionate techie. Professional tech writer. Proud geek.
