have come across and analyzed an oddly behaving ransomware variant that
bypasses the victim’s C drive instead targeting the device’s other drives.
who tweets under Mol69 and Bleeping
Computer took a look at the odd behavior presented by AnteFrigus ransomware. Instead
of going after the one place where most people store their most important data,
the C drive, AnteFrigus leaves that area alone to focus the drives normally connected
to network storage and removable devices, Bleeping
Computer CEO Lawrence Abrams said.
ransomware is distributed with the RIG exploit kit using a new Hookads
installed AnteFrigus searches out the D, E, F, G, H, and I drives. And even on
these drives the malware is picky ignoring a slew of file types, including,
cmd, mpa and dll. Once it does gain access to those drives it will encrypt the
files it desires.
point a very poorly written or translated ransom note appears giving
instructions on how to receive a decryption key.
note will contain a link to the Tor payment site, currently located at
will list the current ransom amount and a bitcoin address to send the payment
to. In our test, the ransom is $1,995 USD and becomes $3,990 after a little
over 4 days as shown below,” Abrans wrote.
put forth by Bleeping Computer to explain this behavior is the attackers are
only interested in hitting devices connected to a business and thus most likely
to use the secondary drives.
Abrams brought in ethical hacker Vitali Kremez to take a look at the ransomware
and he concluded the C drive issue was due to the ransomware being defective or
still under development.