A duo of ransomware demonstrates their evolution

Two new ransomware strands to remain aware of

From above of crop anonymous male hacker typing on netbook with data on screen while sitting at desk

What’s worse than ransomware? Ransomware that’s evolving. We’ve often brought up the different threat campaigns presented by ransomware, and even discussed RaaS (ransomware as a service). It doesn’t take a master to use these tools either, a fairly savvy script kiddie can pull together a ransomware strike with enough patience.

Now, a report by Trend Micro has put two new ransomware variants on stage: AlumniLocker and Humble. They share traits with traditional ransomware campaigns but also create variances making them stand out. There are, though, some expected characteristics. For instance, their prime goal is no different than other ransomware campaigns: holding data hostage for a lump sum payment.

But there are other things to note.

The ransomware

AlumniLocker is what one would call ambitious. When it successfully deploys against a target, the hackers demand a ransom payment of 10 bitcoin, equivalent to $450,000 USD. Like most ransomware, it starts with phishing emails. Specifically, the sender creates a PDF invoice claiming damages or payment. The attachments contain a ZIP archive file, and if opened, a PowerShell execution occurs and compromises the recipient system. 

Post-delivery, the attackers correspond with a growing trend amongst hackers: threatening to publish data if their demands aren’t met. In this case, the time period is 48 hours.

Amusingly, the report pointed out several other characteristics of the AlumniLocker ransomware. One is that the ransom demand is considerably high. Most ransomware targets are unlikely to meet that demand if they can even afford it. Considering numerous targets of ransomware are medium-sized businesses, this is a reasonable assumption. In another interesting turn, links to their website included in the schemes are reported as unavailable (or were), which demonstrates a novice approach to ransomware.

Though it doesn’t take away from the dangers presented by this brand of ransomware, it shows that newcomers to the malware game are capable of mistakes. 

Humble, in contrast, is quite different. Experts observe it may be after individuals instead, as their ransom demand is 0.002 Bitcoins or the equivalent of $10 USD. Given that an amount so small makes little sense against a business, individual users are susceptible to this attack.

Other ransomware traits

While the Humble ransomware asks for a lower amount, it takes a very dangerous approach to achieve success. According to reports, messages on an infected system indicate the ransomware will erase data and the MBR (master boot system). Effectively, it would render the system useless. 

Another odd trait about the malware is its execution method, done via Batch file. It also uses Discord to communicate with victims, software typically used for gaming voice chat.

Essentially, it demonstrates the continued rise in ransomware popularity amongst malicious groups of varying sizes. With only a limited amount of knowledge required to deploy them and their clear financial gain, ransomware is here to stay for the foreseeable future. 

Preventing ransomware attacks

Now of course comes the key question: how do you stop ransomware attacks? Much like any malware attack, it pays to be extra cautious of unusual messages.

Again, ransomware takes advantage of phishing schemes and social engineering. Normally, emails or instant messages will contain links and cover “sensitive” subject material related to accounts or income, attempting to provoke a hasty response. Understanding how to recognize these suspicious messages is part of the challenge, but fortunately, not impossible.

If you’re not sure about best practices or policies, you can also get help. Contact Bytagig today to learn how we can assist your enterprise.

Share this post: