A new variant of ransomware has been discovered that is able to evade detection by encrypting itself.
Cybersecurity analysts at risk and finance consulting company Kroll recently discovered a variant of the ransomware known as Cactus.
In addition to the usual operation – encrypting files and leaving a ransom note – malware also has a unique way of evading detection by antivirus programs and endpoint security solutions.
Hard to see
As reported by Beeping Computerransomware has three main modes of execution, one of which is encryption. Once the payload is deployed, the attackers give the malware a unique AES key that only they know. This key is used to decrypt the ransomware configuration file and the RSA public key they need to encrypt everything else on the target endpoint. The key is provided as a hard-coded hexadecimal string in the encryptor binary.
By decoding the HEX string, attackers get encrypted data that they can read if they have the AES key.
“CACTUS essentially encrypts itself, which makes it harder to detect and helps evade antivirus and network monitoring tools,” Laurie Iacono, Kroll’s deputy managing director of cyber risk, told Bleeping Computer.
Cactus is also interesting because it has multiple encryption modes, including fast mode. If operators choose to run both modes one after the other, files will be encrypted twice and given two file extensions.
Very little is known about Cactus ransomware operations. We don’t know if any companies are currently under attack or are negotiating a payout. Although unconfirmed, some reports claim the group is making “millions” by demanding payouts. We also don’t know how successful the group has been in the past.
As always, the best way to protect against ransomware is to keep your software and hardware up-to-date, set up cybersecurity solutions, and train your employees on the risks of phishing and social engineering attacks.
By: Beeping Computer