Two New, Unconventional Ransomware Programs Might Be Coming Your Way

Two new ransomware variants — AnteFrigus and PureLocker — made the rounds in November 2019. Learn why these programs caught the attention of security experts.

Although numerous ransomware variants exist, they often exhibit common behaviors and use similar tools and techniques. But that’s not the case for two variants discovered in November 2019. AnteFrigus and PureLocker are unconventional ransomware programs that have caught the attention of security experts.

AnteFrigus

When it comes to ransomware programs, security researchers aren’t usually left wondering why the creators designed the programs they way they did. However, AnteFrigus has left researchers scratching their heads, wondering “Why did its creator do that?”

Typically, ransomware programs find out what drives and network shares are accessible on a computer and then try to encrypt the files on those drives and shares. The local C drive is of particular interest, as this is where most people store their files.

AnteFrigus, however, does not encrypt any data on the C drive or on unmapped network shares. Instead, it only targets a computer’s D, E, F, G, H, and I drives. Security experts are uncertain whether this peculiar behavior is a feature or a flaw in the ransomware code.

The experts do know, though, how AnteFrigus is spread. Cybercriminals are using malvertising to redirect people to a page that installs the RIG exploit kit. In this case, the kit looks for Microsoft Internet Explorer vulnerabilities that it can exploit to install AnteFrigus on the victim’s computer. If successful, the ransomware encrypts files on the aforementioned drives and displays a ransom note that contains a link to the Tor payment site. On that site, the victim is given the ransom amount and a Bitcoin address to which to send the payment. In one test, the ransom was listed as $1,995 [USD] but the victim is warned it will increase to $3,990 if not paid in four days.

PureLocker

While not as peculiar as AnteFrigus, PureLocker also displays some unconventional behavior. PureLocker is being used in targeted attacks against companies’ production servers. As a result, it does not immediate start encrypting files once installed like most ransomware programs do. Instead, PureLocker conceals itself by masquerading as a Crypto++ cryptographic library, which allows it to evade sandbox detection. Plus, it periodically checks to see if it is being scrutinized. If any of the checks fail, it will exit without deleting itself to avoid raising any red flags. PureLocker executes only when certain conditions are met. In one case, PureLocker waited more than three weeks before executing, evading detection the entire time.

Another oddity that sets PureLocker apart is that it is written in PureBasic. Cybercriminals seldomly use this programming language to write ransomware programs.

Like AnteFrigus, PureLocker displays a note that does not specify the ransom amount. Instead, the note provides a unique Proton email address that the victim must use to find out this information.

How to Defend Your Business

To defend against AnteFrigus, PureLocker, and other ransomware variants, consider taking these precautions:

• Use security software. It can help detect and block known ransomware.
• Make sure the operating system software and apps on your business’s computers are being updated regularly. Cybercriminals like to use exploit kits that target programs with known vulnerabilities so they can access victims’ computers. Patching these vulnerabilities reduces the number of exploitable entry points.
• Educate employees about the importance of avoiding questionable websites and any sites marked as potential security threats by their web browsers or security software. These websites might contain malvertising or other malicious code that could lead to a ransomware attack.
• Educate employees about other ways ransomware can get on computers, such as through phishing emails. Warn them about the dangers of clicking links and opening attachments in these emails.
• Keep email filtering tools up-to-date. These tools use various filters to help weed out phishing emails. Most email programs include filtering tools, but you can also purchase advanced filtering solutions.
• Make sure that Microsoft Word and Excel macros are disabled on computers running those apps. A ransomware attack can be initiated by malicious commands hidden inside a macro.
• Regularly back up your files and test those backups. As AnteFrigus and PureLocker demonstrate, cybercriminals are constantly creating new ransomware variants, so you need to be prepared for the possibility of a ransomware infection. If you regularly back up your systems and data, you won’t have to pay the ransom.

We can help you take the actions necessary to protect your business from ransomware.

WannaCry flickr photo by medithIT shared under a Creative Commons (BY) license