In 2019, the resurgence of ransomware is still in full swing. Since the beginning of the year, a veritable litany of companies and organizations have suffered at the hands of this kind of malware: local governments, manufacturers, hospitals, producers, critical infrastructure

While we know who the victims of these ransomware attacks are, more often than not, the strain of malware used in the incidents remains unknown. Some exceptions include RobbinHood, the ransomware used in Baltimore, which was detected several months later showing off about its success; or LockerGoga, the ransomware that forced Norsk Hydro to disconnect 22,000 computers in 40 countries.

PureLocker: a new ransomware with unusual tactics

We have now seen another ransomware variant that is threatening organizations worldwide. PureLocker is a piece of ransomware that is being used in targeted attacks against company servers, and seems to have links with notorious cybercriminal groups.

This malware, which encrypts its victims’ servers in order to demand a ransom, has been analyzed by researchers at Intezer and IBM X-Force. They called it PureLocker because it is written in the programming language PureBasic. This choice of language is unusual, but offers the attackers several advantages, such as the fact that cybersecurity providers often struggle to generate trustworthy detection signatures for malicious software written in this language.  PureBasic is also easily transferable between Windows, Linux and OX-X, which greatly facilitates attacks on other platforms.

Servers in the firing line

Choosing to target servers could be a way to try to get higher sums from its victims. Attacks on servers often lead to ransom demands of hundreds of thousands of euros. This is because organizations tend to store their most important data on servers and are therefore more likely to be willing to pay higher sums to recover this critical information.

Although we don’t have data on the number of victims that this ransomware has claimed, the security researchers have confirmed that this is an active campaign. What’s more, it seems that PureLocker is being offered as a service. It is believed that this ‘ransomware-as-a-service’ is offered exclusively to cybercriminal organizations that can afford to pay a high price.

According to Michael Kajiloti, security researcher at Intezer, “It’s probably rather expensive and somewhat exclusive due to the fact that there are relatively few actors using the specific malware-as-a-service and the level of sophistication of its offering,”

An exclusive backdoor

The source code of PureLocker offers some clues as to its exclusive nature, such as the fact that it contains strings from the ‘more_eggs’ backdoor malware, which is sold by ‘veteran’ malware service providers. Some of the most notorious cybercriminal groups around at the moment use these tools, including Cobalt Gang and FIN6, and PureLocker seems to share some code with campaigns previously carried out by these groups. This indicates that PureLocker was designed for criminals who know what they are doing and are capable of attacking large companies.

PureLocker victims receive a ransom note that tells them to contact an email address where they can negotiate the payment to decrypt their files. It also tells them that they have just seven days to pay up; should they fail to meet this deadline, the decryption key will be erased.

Protect yourself against advanced attacks

The cybersecurity researchers who have analyzed this ransomware are still unsure as to how it is delivered to victims. However, more_eggs attacks begin with phishing emails. The similarities between this malware and PureLocker suggest that it possible that this ransomware starts the same way.

Given that no one knows exactly how it gets onto its victims’ servers, the only way to protect against PureLocker is to use a zero-trust approach in order to ensure that no door is left open to cybercrime. Any email that is even slightly suspicious must be sent straight to the IT security department, and attachments from unknown senders must never be opened.

Another measure that is a must is every company is an advanced cybersecurity solution. Panda Adaptive Defense constantly monitors every process executed on the organization’s systems. If it discovers any suspicious or unknown process, it blocks it immediately and stops it from running until it can be totally sure that it is trustworthy. This way, you’ll be protected against any threat, regardless of its nature.

What’s more, Panda Adaptive Defense isn’t based on signatures. This means that, even if a piece of malware contains mechanisms to hinder the creation of detection signatures, as is the case with PureLocker, our advanced cybersecurity solution is capable of detecting and blocking the threat.

This PureLocker campaign is currently active. Because of the tricks that it uses, it can be a serious danger for the information stored in a wide range of companies. Don’t become the next victim of PureLocker, and protect yourself with Panda Security.