July 9, 2015 By Jaikumar Vijayan 3 min read

Like many other malware products, ransomware tools, too, are becoming increasingly commoditized and available in handily packaged, ready-to-use forms.

The latest evidence of the trend comes from researchers at Cybereason Labs, who discovered a massive operation for distributing the malware with advanced persistent threat-like capabilities to Internet users around the world.

Operation Kofer

The researchers dubbed it Operation Kofer and have described it as the first to incorporate a nation-state level of complexity. A review of several Kofer variants from around the world suggested a single group of threat actors is behind the operation, according to the report “Operation Kofer: Mutating Ransomware Enters the Fray.”

All the variants that Cybereason sourced from sensors shared the same packaging and delivery techniques. But what makes Kofer noteworthy is the method the group uses to prevent its malware from being detected by conventional signature and hash-based techniques, the report noted.

Each variant incorporated enough random variables to sufficiently differentiate itself from others, making them hard to detect with a single signature or hash. The Kofer malware samples that Cybereason examined suggested that the threat actors behind the operation used some sort of algorithm to automatically mix and match different components when building each variant.

Common Attributes

Though each Kofer sample examined had a different hash and unique characteristics, they all also shared several common attributes. For example, the variants presented a fake icon, typically that of a PDF document. All the variants also used an innocuous-sounding file name, presumably to fool users into clicking.

In each case, the payload was stored in encrypted format as a harmless-looking resource inside a Portable Executable (PE). The threat actors behind the campaign also added several random dialogue boxes, strings and bitmaps to make the malicious files seem even more harmless to malware detection tools. Some of the variants that Cybereason examined were even designed to stop running if they were being opened inside a sandbox.

The actual ransomware payload was either CryptoWall 3.0 or Crypt0L0cker. Both malware tools have been widely applied in the past against Internet users around the world.

Ransomware Is a Growing Threat

This type of malware is a growing threat to Internet users. The tools are basically used to encrypt data on infected computers and then extort money from victims in return for decrypting the content. Security analysts believe that such programs have helped cybercriminals extort tens of millions of dollars from individuals and businesses around the world over the past two years.

Operations like Kofer indicate that the problem may be about to get worse. “If the Kofer variants are in fact coming from a single source, then this can indicate the commoditization of ransomware at a whole new scale,” said Uri Sternfeld, senior security researcher at Cybereason, in a statement accompanying the report.

Threat Commoditization

Kofer is the second instance in recent months where security researchers have discovered attempts by cybercriminals to make malware tools more easily available in underground markets. Earlier this year, a security researcher at McAfee discovered what amounted to a do-it-yourself service called Tox for building and distributing malware.

The service allows almost anyone to obtain a ransomware kit for free simply by registering with the Tox website and entering a few basic details, such as the desired ransom amount and a reason for wanting to deploy the tool. Once the details are submitted, the would-be criminal is provided with a 2 MB executable file that is ready to be deployed against targets. The tool itself is free, but the site that generates the kit retains a 20 percent cut of any ransom paid by victims of the attackers who use it.

Users can avoid many types of ransomware by taking measures to protect data and guard networks. But as these tools continue to get more advanced, security professionals will have to enhance their defenses, as well.

More from

Poland spending $760 million on cybersecurity after attack

3 min read - Visitors to the Polish Press Agency (PAP) website on May 31 at 2 p.m. Polish time were met with an unusual message. Instead of the typical daily news, the state-run newspaper had supposedly published a story announcing that a partial mobilization, which means calling up specific people to serve in the armed forces, was ordered by Polish Prime Minister Donald Tusk beginning on July 1, 2024. Deputy Prime Minister Krzysztof Gawkowski refuted the claim on X (formerly Twitter). His post…

How generative AI Is expanding the insider threat attack surface

3 min read - As the adoption of generative AI (GenAI) soars, so too does the risk of insider threats. This puts even more pressure on businesses to rethink security and confidentiality policies.In just a few years, artificial intelligence (AI) has radically changed the world of work. 61% of knowledge workers now use GenAI tools — particularly OpenAI’s ChatGPT — in their daily routines. At the same time, business leaders, often partly driven by a fear of missing out, are investing billions in tools…

Water facilities warned to improve cybersecurity

3 min read - United States water facilities, which include 150,000 public water systems, have become an increasingly high-risk target for cyber criminals in recent years. This rising threat has demanded more attention and policies focused on improving cybersecurity.Water and wastewater systems are one of the 16 critical infrastructures in the U.S. The definition for inclusion in this category is that the industry must be so crucial to the United States that “the incapacity or destruction of such systems and assets would have a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today