Ransomware remains one of the most feared attacks, mainly because many organizations still don’ t follow basic cyber security hygiene including backing up data and patching software.
The latest strain discovered made a brief appearance over the weekend, when researchers saw it being distributed through the EITest malware campaign into the RIG exploit kit. Dubbed PyCL by Bleeping Computer because it is programmed in Python, the ransomware was only distributed for one day and didn’t securely encrypt files, which makes the article’s author suspect it may have been a test distribution run — in which case infosec teams should pay attention.
It was being spread through hacked sites that redirected the visitor to RIG exploit kits, which would then try and exploit vulnerabilities on the computer in order to install the ransomware. “The PyCL Ransomware is distributed as an NSIS installer that contains a Python package that is used to encrypt a computer and a tutorial on how to pay the ransom,” says the article. “PyCL also communicates back to the Command & Control (C2) server at each stage of the process in order to provide debugging/status information to the developer.”
PyCL first checks if the user has administrative privileges, and if so will delete the shadow volume copies. It then connects to the C2 server again and sends a POST request to an Internet address which sends the victims’ Windows version, whether the victim has administrative privileges, the screen resolution, processor architecture, computer name, user name, and the mac address of the primary network adapter. The C2 responds with a public RSA-2048 public encryption key, a bitcoin payment address, the ransom amount in bitcoins, and the ransom amount in US dollars.
For some reason this version of the malware then creates a copy of files, then encrypts them with a unique AES-256 encryption key — but the original files aren’t deleted. If, or when, this ransomware is fully released that may change.
Separately Trend Micro reported the Cerber family of ransomware now has adopted a new technique to make itself harder to detect by defensive behaviour-detecting software that uses machine learning. The loader checks if the malware is running in a virtual machine (VM), if it is running in a sandbox, if certain analysis tools are running on the machine, or if certain AV products are present. If any of these checks fail, the malware stops running.
The new packaging and loading mechanism can cause problems for static machine learning approaches, such as those that analyze a file without any execution or emulation, says Trend Micro. “All self-extracting files may look similar by structure, regardless of the content. Unpacked binaries with limited features may not look malicious either. In other words, the way Cerber is packaged could be said to be designed to evade machine learning file detection. For every new malware detection technique, an equivalent evasion technique is created out of necessity.”
This new evasion technique does not defeat an anti-malware approach that uses multiple layers of protection, the vendor adds. “Cerber has its weaknesses against other techniques. For instance, having an unpacked .DLL file will make it easy to create a one-to-many pattern; alternately having a set structure within an archive will make it easier to identify if a package is suspicious. Solutions that rely on a variety of techniques, and are not overly reliant on machine learning, can still protect customers against these threats.”