This devious new ransomware encrypts itself to avoid your antivirus

Ransomware attack on a computer
(Image credit: Kaspersky)

A new ransomware variant has been detected that is able to evade detection by encrypting itself.

Cybersecurity researchers from risk and financial advisory solutions firm Kroll recently discovered a variant of the ransomware known as Cactus. 

Besides the usual operation - encrypting files and leaving behind a ransom note - the malware also has a unique way to avoid getting detected by antivirus programs and endpoint security solutions. 

Hard to spot

As reported by BleepingComputer, the ransomware has three main modes of execution, one of which is encryption. Once the payload is deployed, the attackers would provide the malware a unique AES key only they know. This key is used to decrypt the ransomware’s configuration file and the public RSA key they need to encrypt everything else on the target endpoint. The key comes as a HEX string hardcoded in the encryptor’s binary. 

By decoding the HEX string, the attackers obtain encrypted data which they can read if they have the AES key. 

“CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll, told Bleeping Computer.

What also makes Cactus interesting is that it has multiple modes of encryption, including a quick mode. If the operators decide to run both modes one after the other, the files will be encrypted twice and will get two file extensions. 

Very little is known about the Cactus ransomware operation. We don’t know if any businesses are currently being attacked, or are negotiating a payout. Although unconfirmed, some reports claim the group asks for “millions” when demanding payouts. We also don’t know how successful the group was in the past. 

As usual, the best way to protect against ransomware is to patch both software and hardware regularly, have cybersecurity solutions set up, and train your workforce on the dangers of phishing and social engineering attacks.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.