The PureLocker ransomware is being reportedly being used for targeted attacks against Business servers.
PureLocker Ransomware Attacking Servers!
In research by cybersecurity researchers at Intezer and IBM X-Force, who called it PureLocker because it is written in the PureBasic programming language, the previously undetected server locking malware was detailed.
It is rare for ransomware to be written in PureBasic, but it offers advantages to attackers as security vendors often fail to produce valid signatures for malicious software written in this language. PureBasic can also be passed between Windows, Linux, and OS-X, which makes it easier for hackers to target various platforms.
Together with @IBMSecurity we have identified a new, undetected #ransomware being used in targeted attacks against enterprise production servers. Code reuse analysis points its origins to a MaaS provider utilized by #CobaltGang & #FIN6 attack groups. https://t.co/S9U4X2dlQi
— Intezer (@IntezerLabs) November 12, 2019
According to Intezer Labs malware researcher’s official blog post, Michael Kajiloti, software reuse analysis reveals that the malware is closely related to the backdoor malware’ more_ eggs,’ which is available on the dark web and has already been used by several threat actors. The attack is aimed at both Windows and Lixus servers according to the study, but for weeks the malware has evaded detection.
In this scenario, attacks were conducted against servers in order to hold them hostage and only return them to service after payment of a cryptocurrency ransom. Ransomware attacks on servers often lead to payment demands of hundreds of thousands of dollars in exchange for system decryption and may be accompanied by a threat to destroy the data if the ransom is not paid.
These tools have been used by some of today’s most prolific cybercriminal groups, including Cobalt Gang and FIN6— and ransomware shares code from these hacking gangs with previous campaigns.
It’s not clear how this malware is being spread around, and more research is being done as of now.