Purelocker Ransomware: Working and evasion

Purelocker Ransomware is the latest Ransomware in town and it seems to be designed to specifically target production servers at the enterprise level. The Purelocker Ransomware was detected last week by researchers at Intezer and IBM X-Force.

Upon analysis, they have identified that the Ransomware has been used by Cobalt Gang and FIN6 among other threat groups mainly targeting Windows and Linux based servers. The name Purelocker has been assigned to this Ransomware as it has been written completely using a programming language called Purebasic.

Purebasic is a pretty uncommon programming language but the choice of this particular language by the attackers has to do with the fact that the code written using Purebasic is compatible across multiple platforms like Windows, Linux, and macOS, making it easier for the attackers to target multiple operating systems at once.

Also, since the Purebasic programming language is not that common or popular, the Antivirus companies are finding it difficult to generate reliable and accurate detection engines and signatures to be able to detect the Purelocker Ransomware. This is also part of the reason why the Ransomware went undetected even after being active for several months.

Detection process:

According to the researchers, the initial process involved in analyzing a Windows Sample of the Purelocker Ransomware and they have identified it to be a 32-bit DLL file which was posing as a C++ based cryptography library called Crypto++. The researches become suspicious as some of the functions in the library were related to music playback and controls.

Evasion Techniques:

As mentioned earlier, the Purelocker Ransomware managed to stay undetected by popular Anti Virus engines for the first few weeks after its attack. The attackers managed to stay under the radar by using the Purebasic programming language to write the ransomware instead of using some popular programming language which is widely popular and has several detection signatures already available.

Also, the attackers behind the Purelocker Ransomware has programmed it so that it will only begin its execution in its target attack system after ensuring that it is not being analyzed or used for debugging by anyone. If that is not the case, the Ransomware would automatically exit itself from the target system, without even deleting itself.

The Ransomware also executes from the regsrv32.exe, so it verifies that it is indeed executed by the process, and also that the current year on the target system is 2019 and that it has administrator rights on the system. If any of these checks fail, the ransomware would immediately exit the system as mentioned above, so as to not leave any traces of its functionality or working.

Working of Purelocker Ransomware:

Once the Ransomware performs all the verification checks on the target systems and if it gets the desired results, it will start working by first encrypting all the files on the target system with the AES+RSA combination using a hardcoded RSA Key.

The Ransomware mainly executes the data files on the system.CR1 extension and it mostly ignores the executable files in the target system. It then proceeds to delete all the originals of the files it has encrypted to prevent the user from performing file recovery. Finally, it leaves a ransom note as a text file in the user’s desktop with the name, YOUR_FILES.txt.

While, a traditional Ransomware includes the information about how much Ransom the attackers want the victims to send to them and the means to send that, which is typically a bitcoin-based transaction, the attackers behind the Purelocker Ransomware has instructed the victims to contact them via email instead.

They also seem to use an anonymous and encrypted email service provider for this purpose with different email addresses for each of the victims. Once the attackers communicate with the victims and get their desired ransom amount, they then send the decryption keys to the victims using the same email addresses they have provided for contacting them.

Unconventional ways of Purelocker Ransomware:

Right from using an unconventional programming language like Purebasic to code the Ransomware, its evasion technique, and even the way the Ransomware functions and collects the Ransom from the victims, it is clearly evident that this is different in a lot of ways from the Ransomware that usually are talked about in the news.

This clearly shows that the attackers behind Ransomware are rapidly improving and innovating the ways they use to perform targeted attacks. Therefore, it is important, now more than ever, for us to focus more on the security of our systems and try to be as safe as possible with our data and devices.

Connecting you with your Tech | Posts about Android, iOS, Internet | How to guides, Tips, Tricks, and tutorials