Like many other malware products, ransomware tools, too, are becoming increasingly commoditized and available in handily packaged, ready-to-use forms.
The latest evidence of the trend comes from researchers at Cybereason Labs, who discovered a massive operation for distributing the malware with advanced persistent threat-like capabilities to Internet users around the world.
The researchers dubbed it Operation Kofer and have described it as the first to incorporate a nation-state level of complexity. A review of several Kofer variants from around the world suggested a single group of threat actors is behind the operation, according to the report “Operation Kofer: Mutating Ransomware Enters the Fray.”
All the variants that Cybereason sourced from sensors shared the same packaging and delivery techniques. But what makes Kofer noteworthy is the method the group uses to prevent its malware from being detected by conventional signature and hash-based techniques, the report noted.
Each variant incorporated enough random variables to sufficiently differentiate itself from others, making them hard to detect with a single signature or hash. The Kofer malware samples that Cybereason examined suggested that the threat actors behind the operation used some sort of algorithm to automatically mix and match different components when building each variant.
Though each Kofer sample examined had a different hash and unique characteristics, they all also shared several common attributes. For example, the variants presented a fake icon, typically that of a PDF document. All the variants also used an innocuous-sounding file name, presumably to fool users into clicking.
In each case, the payload was stored in encrypted format as a harmless-looking resource inside a Portable Executable (PE). The threat actors behind the campaign also added several random dialogue boxes, strings and bitmaps to make the malicious files seem even more harmless to malware detection tools. Some of the variants that Cybereason examined were even designed to stop running if they were being opened inside a sandbox.
The actual ransomware payload was either CryptoWall 3.0 or Crypt0L0cker. Both malware tools have been widely applied in the past against Internet users around the world.
Ransomware Is a Growing Threat
This type of malware is a growing threat to Internet users. The tools are basically used to encrypt data on infected computers and then extort money from victims in return for decrypting the content. Security analysts believe that such programs have helped cybercriminals extort tens of millions of dollars from individuals and businesses around the world over the past two years.
Operations like Kofer indicate that the problem may be about to get worse. “If the Kofer variants are in fact coming from a single source, then this can indicate the commoditization of ransomware at a whole new scale,” said Uri Sternfeld, senior security researcher at Cybereason, in a statement accompanying the report.
Kofer is the second instance in recent months where security researchers have discovered attempts by cybercriminals to make malware tools more easily available in underground markets. Earlier this year, a security researcher at McAfee discovered what amounted to a do-it-yourself service called Tox for building and distributing malware.
The service allows almost anyone to obtain a ransomware kit for free simply by registering with the Tox website and entering a few basic details, such as the desired ransom amount and a reason for wanting to deploy the tool. Once the details are submitted, the would-be criminal is provided with a 2 MB executable file that is ready to be deployed against targets. The tool itself is free, but the site that generates the kit retains a 20 percent cut of any ransom paid by victims of the attackers who use it.
Users can avoid many types of ransomware by taking measures to protect data and guard networks. But as these tools continue to get more advanced, security professionals will have to enhance their defenses, as well.