July 9, 2015 By Jaikumar Vijayan 3 min read

Like many other malware products, ransomware tools, too, are becoming increasingly commoditized and available in handily packaged, ready-to-use forms.

The latest evidence of the trend comes from researchers at Cybereason Labs, who discovered a massive operation for distributing the malware with advanced persistent threat-like capabilities to Internet users around the world.

Operation Kofer

The researchers dubbed it Operation Kofer and have described it as the first to incorporate a nation-state level of complexity. A review of several Kofer variants from around the world suggested a single group of threat actors is behind the operation, according to the report “Operation Kofer: Mutating Ransomware Enters the Fray.”

All the variants that Cybereason sourced from sensors shared the same packaging and delivery techniques. But what makes Kofer noteworthy is the method the group uses to prevent its malware from being detected by conventional signature and hash-based techniques, the report noted.

Each variant incorporated enough random variables to sufficiently differentiate itself from others, making them hard to detect with a single signature or hash. The Kofer malware samples that Cybereason examined suggested that the threat actors behind the operation used some sort of algorithm to automatically mix and match different components when building each variant.

Common Attributes

Though each Kofer sample examined had a different hash and unique characteristics, they all also shared several common attributes. For example, the variants presented a fake icon, typically that of a PDF document. All the variants also used an innocuous-sounding file name, presumably to fool users into clicking.

In each case, the payload was stored in encrypted format as a harmless-looking resource inside a Portable Executable (PE). The threat actors behind the campaign also added several random dialogue boxes, strings and bitmaps to make the malicious files seem even more harmless to malware detection tools. Some of the variants that Cybereason examined were even designed to stop running if they were being opened inside a sandbox.

The actual ransomware payload was either CryptoWall 3.0 or Crypt0L0cker. Both malware tools have been widely applied in the past against Internet users around the world.

Ransomware Is a Growing Threat

This type of malware is a growing threat to Internet users. The tools are basically used to encrypt data on infected computers and then extort money from victims in return for decrypting the content. Security analysts believe that such programs have helped cybercriminals extort tens of millions of dollars from individuals and businesses around the world over the past two years.

Operations like Kofer indicate that the problem may be about to get worse. “If the Kofer variants are in fact coming from a single source, then this can indicate the commoditization of ransomware at a whole new scale,” said Uri Sternfeld, senior security researcher at Cybereason, in a statement accompanying the report.

Threat Commoditization

Kofer is the second instance in recent months where security researchers have discovered attempts by cybercriminals to make malware tools more easily available in underground markets. Earlier this year, a security researcher at McAfee discovered what amounted to a do-it-yourself service called Tox for building and distributing malware.

The service allows almost anyone to obtain a ransomware kit for free simply by registering with the Tox website and entering a few basic details, such as the desired ransom amount and a reason for wanting to deploy the tool. Once the details are submitted, the would-be criminal is provided with a 2 MB executable file that is ready to be deployed against targets. The tool itself is free, but the site that generates the kit retains a 20 percent cut of any ransom paid by victims of the attackers who use it.

Users can avoid many types of ransomware by taking measures to protect data and guard networks. But as these tools continue to get more advanced, security professionals will have to enhance their defenses, as well.

More from

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

X-Force data reveals top spam trends, campaigns and senior superlatives in 2023

10 min read - The 2024 IBM X-Force Threat Intelligence Index revealed attackers continued to pivot to evade detection to deliver their malware in 2023. The good news? Security improvements, such as Microsoft blocking macro execution by default starting in 2022 and OneNote embedded files with potentially dangerous extensions by mid-2023, have changed the threat landscape for the better. Improved endpoint detection also likely forced attackers to shift away from other techniques prominent in 2022, such as using disk image files (e.g. ISO) and…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today