Like many other malware products, ransomware tools, too, are becoming increasingly commoditized and available in handily packaged, ready-to-use forms.

The latest evidence of the trend comes from researchers at Cybereason Labs, who discovered a massive operation for distributing the malware with advanced persistent threat-like capabilities to Internet users around the world.

Operation Kofer

The researchers dubbed it Operation Kofer and have described it as the first to incorporate a nation-state level of complexity. A review of several Kofer variants from around the world suggested a single group of threat actors is behind the operation, according to the report “Operation Kofer: Mutating Ransomware Enters the Fray.”

All the variants that Cybereason sourced from sensors shared the same packaging and delivery techniques. But what makes Kofer noteworthy is the method the group uses to prevent its malware from being detected by conventional signature and hash-based techniques, the report noted.

Each variant incorporated enough random variables to sufficiently differentiate itself from others, making them hard to detect with a single signature or hash. The Kofer malware samples that Cybereason examined suggested that the threat actors behind the operation used some sort of algorithm to automatically mix and match different components when building each variant.

Common Attributes

Though each Kofer sample examined had a different hash and unique characteristics, they all also shared several common attributes. For example, the variants presented a fake icon, typically that of a PDF document. All the variants also used an innocuous-sounding file name, presumably to fool users into clicking.

In each case, the payload was stored in encrypted format as a harmless-looking resource inside a Portable Executable (PE). The threat actors behind the campaign also added several random dialogue boxes, strings and bitmaps to make the malicious files seem even more harmless to malware detection tools. Some of the variants that Cybereason examined were even designed to stop running if they were being opened inside a sandbox.

The actual ransomware payload was either CryptoWall 3.0 or Crypt0L0cker. Both malware tools have been widely applied in the past against Internet users around the world.

Ransomware Is a Growing Threat

This type of malware is a growing threat to Internet users. The tools are basically used to encrypt data on infected computers and then extort money from victims in return for decrypting the content. Security analysts believe that such programs have helped cybercriminals extort tens of millions of dollars from individuals and businesses around the world over the past two years.

Operations like Kofer indicate that the problem may be about to get worse. “If the Kofer variants are in fact coming from a single source, then this can indicate the commoditization of ransomware at a whole new scale,” said Uri Sternfeld, senior security researcher at Cybereason, in a statement accompanying the report.

Threat Commoditization

Kofer is the second instance in recent months where security researchers have discovered attempts by cybercriminals to make malware tools more easily available in underground markets. Earlier this year, a security researcher at McAfee discovered what amounted to a do-it-yourself service called Tox for building and distributing malware.

The service allows almost anyone to obtain a ransomware kit for free simply by registering with the Tox website and entering a few basic details, such as the desired ransom amount and a reason for wanting to deploy the tool. Once the details are submitted, the would-be criminal is provided with a 2 MB executable file that is ready to be deployed against targets. The tool itself is free, but the site that generates the kit retains a 20 percent cut of any ransom paid by victims of the attackers who use it.

Users can avoid many types of ransomware by taking measures to protect data and guard networks. But as these tools continue to get more advanced, security professionals will have to enhance their defenses, as well.

More from

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

The Evolution of Antivirus Software to Face Modern Threats

Over the years, endpoint security has evolved from primitive antivirus software to more sophisticated next-generation platforms employing advanced technology and better endpoint detection and response.  Because of the increased threat that modern cyberattacks pose, experts are exploring more elegant ways of keeping data safe from threats.Signature-Based Antivirus SoftwareSignature-based detection is the use of footprints to identify malware. All programs, applications, software and files have a digital footprint. Buried within their code, these digital footprints or signatures are unique to the respective…

How Do Threat Hunters Keep Organizations Safe?

Neil Wyler started his job amid an ongoing cyberattack. As a threat hunter, he helped his client discover that millions of records had been stolen over four months. Even though his client used sophisticated tools, its threat-hunting technology did not detect the attack because the transactions looked normal. But with Wyler’s expertise, he was able to realize that data was leaving the environment as well as entering the system. His efforts saved the company from suffering even more damage and…

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…