TL;DR
- A new ransomware, dubbed PureLocker, has been identified by researchers that is being used for targeted attacks against production servers of enterprises.
- It masquerades as a benign-looking Crypto++ cryptographic library.
- It will only infect a machine that passes certain checks, including a check to see if it has gained privileged access on it.
- It has remained undetected for a long time, which is quite uncommon for recently developed malware.
- Check if you anti-virus is capable of detecting this PureLocker here: VirusTotal
The Announcement
Researchers have identified a ‘new and undetected’ ransomware threat, dubbed PureLocker, that is being used for targeted attacks against production servers of enterprises. The word of emphasis here is ‘undetected’ because this ransomware has been lurking around the cyberspace without being detected for far longer than the average time for any recent malware.
Although researchers claim that PureLocker is built to target enterprise servers, they have not provided data to back this claim in their analysis article posted here. I have reached out to Michael Kajiloti, the original researcher for more information about this.
PureLocker Is Unique
Researchers have named the ransomware PureLocker because it was written in an unusual programming language called PureBasic. PureBasic is a native 32-bit and 64-bit programming language based on established BASIC rules. The key feature of PureBasic is Portability – Windows, Linux and OS X are currently supported.
PureBasic poses two advantages for the authors of PureLocker:
- The ransomware is interoperable, that means, the same code can be used to infect Windows, Mac as well as Linux platforms.
- Anti-virus and IDS/IPS vendors struggle to generate reliable detection signatures for malicious software written in PureBasic.
Choosing an interoperable language for malware scripting also indicates that hackers are now looking beyond Windows for greater impact. Because of the stealthy attack techniques employed by PureLocker, statistics on whether the ransomware was actually able to infect non-Windows machines is unavailable as of now.
Advanced Evasion Techniques
PureLocker uses unique evasion methods to avoid creating noise and only infects systems which pass the following checks:
- It checks whether it was executed using special flags that allow for silent installation without any popups
- After installation it checks whether it was indeed installed using the silent method
- It checks that the it’s file extension is .dll or .ocx
- It verifies that the current year is 2019
- It verifies that it has got privileged rights on the system
If any of these checks fail, the malware will exit without performing any malicious activity. This is an effort to avoid creating unnecessary noise by infecting a system which would not yield a higher return. This is atypical of ransomware which generally aim to infect as many systems as possible.
How It Infects
If all checks succeed, PureLocker encrypts all the files on the machines with the AES+RSA combination. The ransomware adds the“.CR1”extension for each encrypted file. It only encrypts data files and skips encryption for executable files. The malware does not rely on the operating system’s libraries to encrypt files. It rather relies on the compiled-in PureBasic crypto library.
The ransomware then secure-deletes the original files in order to prevent recovery through common data recovery methods. Once the malware has completed the encryption it leaves a text file on the user’s desktop named YOUR_FILES.txt which contains the below note.
This is another unusual trait exhibited by PureLocker. The message left for the system owner to decrypt files does not have any direct demand for a ransom amount. Rather, the victim is asked to contact an email address hosted on ProtonMail, an encrypted and anonymous email service provider.
Code Reuse Analysis
Malware researchers perform code reuse analysis to find code blocks in a malware that have been observed in already detected malware. This helps in identifying the probable actors behind the attack and hence the likely modus operandi.
Code reuse analysis of PureLocker has shown that it exhibits similar code as was earlier observed in the “more_eggs” malware kit. “more_eggs” is available as a ‘Malware As A Service (MaaS)’ on the dark net. However, it is hard to pin the author of PureLocker to be the same as that of more_eggs because although there are code similarities, majority of PureLocker code (97%) is completely new or has been extensively modified.
Are You Secured From PureLocker?
Visit the following VirusTotal malware analysis page to check whether your antivirus, IDS or IPS detects PureLocker:
PureLocker has been mutually researched by Intezer and IBM’s X-Force IRIS team. We thank them on behalf of the entire information security community.