Two new ransomware variants — AnteFrigus and PureLocker — made the rounds in November 2019. Learn why these programs caught the attention of security experts.
Although numerous ransomware variants exist, they often exhibit common behaviors and use similar tools and techniques. But that’s not the case for two variants discovered in November 2019. AnteFrigus and PureLocker are unconventional ransomware programs that have caught the attention of security experts.
When it comes to ransomware programs, security researchers aren’t usually left wondering why the creators designed the programs they way they did. However, AnteFrigus has left researchers scratching their heads, wondering “Why did its creator do that?”
Typically, ransomware programs find out what drives and network shares are accessible on a computer and then try to encrypt the files on those drives and shares. The local C drive is of particular interest, as this is where most people store their files.
AnteFrigus, however, does not encrypt any data on the C drive or on unmapped network shares. Instead, it only targets a computer’s D, E, F, G, H, and I drives. Security experts are uncertain whether this peculiar behavior is a feature or a flaw in the ransomware code.
The experts do know, though, how AnteFrigus is spread. Cybercriminals are using malvertising to redirect people to a page that installs the RIG exploit kit. In this case, the kit looks for Microsoft Internet Explorer vulnerabilities that it can exploit to install AnteFrigus on the victim’s computer. If successful, the ransomware encrypts files on the aforementioned drives and displays a ransom note that contains a link to the Tor payment site. On that site, the victim is given the ransom amount and a Bitcoin address to which to send the payment. In one test, the ransom was listed as $1,995 [USD] but the victim is warned it will increase to $3,990 if not paid in four days.
While not as peculiar as AnteFrigus, PureLocker also displays some unconventional behavior. PureLocker is being used in targeted attacks against companies’ production servers. As a result, it does not immediate start encrypting files once installed like most ransomware programs do. Instead, PureLocker conceals itself by masquerading as a Crypto++ cryptographic library, which allows it to evade sandbox detection. Plus, it periodically checks to see if it is being scrutinized. If any of the checks fail, it will exit without deleting itself to avoid raising any red flags. PureLocker executes only when certain conditions are met. In one case, PureLocker waited more than three weeks before executing, evading detection the entire time.
Another oddity that sets PureLocker apart is that it is written in PureBasic. Cybercriminals seldomly use this programming language to write ransomware programs.
Like AnteFrigus, PureLocker displays a note that does not specify the ransom amount. Instead, the note provides a unique Proton email address that the victim must use to find out this information.
How to Defend Your Business
To defend against AnteFrigus, PureLocker, and other ransomware variants, consider taking these precautions:
We can help you take the actions necessary to protect your business from ransomware.