C drive gets no love from AnteFrigus ransomware – Digitalmunition

News C drive gets no love from AnteFrigus ransomware

Published on November 14th, 2019 📆 | 2090 Views ⚑


C drive gets no love from AnteFrigus ransomware

Security researchers
have come across and analyzed an oddly behaving ransomware variant that
bypasses the victim’s C drive instead targeting the device’s other drives.

An analyst
who tweets under Mol69 and Bleeping
Computer took a look at the odd behavior presented by AnteFrigus ransomware. Instead
of going after the one place where most people store their most important data,
the C drive, AnteFrigus leaves that area alone to focus the drives normally connected
to network storage and removable devices, Bleeping
CEO Lawrence Abrams said.

ransomware is distributed with the RIG exploit kit using a new Hookads
malvertising campaign.

installed AnteFrigus searches out the D, E, F, G, H, and I drives. And even on
these drives the malware is picky ignoring a slew of file types, including,
cmd, mpa and dll. Once it does gain access to those drives it will encrypt the
files it desires.

At this
point a very poorly written or translated ransom note appears giving
instructions on how to receive a decryption key.

“This ransom
note will contain a link to the Tor payment site, currently located at
http://yboa7nidpv5jdtumgfm4fmmvju3ccxlleut2xvzgn5uqlbjd5n7p3kid.onion/, which
will list the current ransom amount and a bitcoin address to send the payment
to. In our test, the ransom is $1,995 USD and becomes $3,990 after a little
over 4 days as shown below,” Abrans wrote.

One theory
put forth by Bleeping Computer to explain this behavior is the attackers are
only interested in hitting devices connected to a business and thus most likely
to use the secondary drives.

Abrams brought in ethical hacker Vitali Kremez to take a look at the ransomware
and he concluded the C drive issue was due to the ransomware being defective or
still under development.

Source link

Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *