New version of ransomware variant chooses between encryption and crypto mining
Security company Kaspersky Lab has found a new variant of the so-called Rakhni ransomware. Once this malware is on a system, it can choose whether to encrypt files or use the CPU for cryptocurrency mining.
Kaspersky writes that the malware mainly targets Russian users and that the distribution takes place via emails with a malicious attachment. Once the malware is on a system, it checks, among other things, for a virtual machine, which could indicate that someone is trying to analyze the malware. A check is then made to see whether the folder ‘bitcoin’ is present in the folder ‘AppData’. If so, the malware decides to encrypt the files on the system using the usual ransomware method. The assumption is then likely that the victim has a bitcoin wallet that represents a certain value.
If that folder is not present and the CPU of the infected system has more than two logical cores, the malware chooses to install the cryptominer. Because mining takes place with the CPU, the malware chooses a cryptocurrency that is suitable for it. In this case, that’s Monero and Monero Original. According to Kaspersky, there are indications that in the latter case the GPU is used, because a folder ‘cuda’ is created. There is also the option to mine Dashcoin. There is also a third option, which is chosen if there is only one logical core. In that case, the malware activates a worm component, which attempts to spread to other computers on the same network.
The security firm wrote in a recent report that the number of users affected by ransomware fell by 30 percent between 2017 and 2018 compared to the period between 2016 and 2017. In contrast, the number of people affected by miners increased by 44. per cent.
Malicious Word attachment asking victims to open fake PDF document