July 9, 2015 By Jaikumar Vijayan 3 min read

Like many other malware products, ransomware tools, too, are becoming increasingly commoditized and available in handily packaged, ready-to-use forms.

The latest evidence of the trend comes from researchers at Cybereason Labs, who discovered a massive operation for distributing the malware with advanced persistent threat-like capabilities to Internet users around the world.

Operation Kofer

The researchers dubbed it Operation Kofer and have described it as the first to incorporate a nation-state level of complexity. A review of several Kofer variants from around the world suggested a single group of threat actors is behind the operation, according to the report “Operation Kofer: Mutating Ransomware Enters the Fray.”

All the variants that Cybereason sourced from sensors shared the same packaging and delivery techniques. But what makes Kofer noteworthy is the method the group uses to prevent its malware from being detected by conventional signature and hash-based techniques, the report noted.

Each variant incorporated enough random variables to sufficiently differentiate itself from others, making them hard to detect with a single signature or hash. The Kofer malware samples that Cybereason examined suggested that the threat actors behind the operation used some sort of algorithm to automatically mix and match different components when building each variant.

Common Attributes

Though each Kofer sample examined had a different hash and unique characteristics, they all also shared several common attributes. For example, the variants presented a fake icon, typically that of a PDF document. All the variants also used an innocuous-sounding file name, presumably to fool users into clicking.

In each case, the payload was stored in encrypted format as a harmless-looking resource inside a Portable Executable (PE). The threat actors behind the campaign also added several random dialogue boxes, strings and bitmaps to make the malicious files seem even more harmless to malware detection tools. Some of the variants that Cybereason examined were even designed to stop running if they were being opened inside a sandbox.

The actual ransomware payload was either CryptoWall 3.0 or Crypt0L0cker. Both malware tools have been widely applied in the past against Internet users around the world.

Ransomware Is a Growing Threat

This type of malware is a growing threat to Internet users. The tools are basically used to encrypt data on infected computers and then extort money from victims in return for decrypting the content. Security analysts believe that such programs have helped cybercriminals extort tens of millions of dollars from individuals and businesses around the world over the past two years.

Operations like Kofer indicate that the problem may be about to get worse. “If the Kofer variants are in fact coming from a single source, then this can indicate the commoditization of ransomware at a whole new scale,” said Uri Sternfeld, senior security researcher at Cybereason, in a statement accompanying the report.

Threat Commoditization

Kofer is the second instance in recent months where security researchers have discovered attempts by cybercriminals to make malware tools more easily available in underground markets. Earlier this year, a security researcher at McAfee discovered what amounted to a do-it-yourself service called Tox for building and distributing malware.

The service allows almost anyone to obtain a ransomware kit for free simply by registering with the Tox website and entering a few basic details, such as the desired ransom amount and a reason for wanting to deploy the tool. Once the details are submitted, the would-be criminal is provided with a 2 MB executable file that is ready to be deployed against targets. The tool itself is free, but the site that generates the kit retains a 20 percent cut of any ransom paid by victims of the attackers who use it.

Users can avoid many types of ransomware by taking measures to protect data and guard networks. But as these tools continue to get more advanced, security professionals will have to enhance their defenses, as well.

More from

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today