Ransomware Campaign Alters Variants to Evade Detection

A new, recently uncovered operation has purportedly been mutating versions of ransomware to better avoid getting detected.

A recently uncovered operation has been mutating versions of ransomware to better avoid getting detected.

As part of the campaign, which researchers from Cambridge-based Cybereason have dubbed Kofer, attackers are tweaking certain variables of ransomware like CryptoWall 3.0 and Crypt0L0cker to evade static signature or hash-based detection.

While the malware variants are different, researchers have deduced that they’re being altered by one, singular group.

“We believe that they were all created by the same operational group or R&D team using an automated algorithm to ‘mix and match’ together different components, forming a completely new variation each time,” the firm said in a report published Wednesday.

As a whole the variables look similar. Researchers with the firm insist that in addition to having the same appearance, the malware is being delivered the same way as well. Each one masquerades as a PDF document and comes complete with fake icons and file names in hopes that an unsuspecting user will open the file.

The attackers are simply changing bits and pieces of the malware here and there for each new target.

That includes encrypting the payload to make it look benign, thwarting sandbox detection, and deleting the original executable after it runs.

It’s unclear exactly how widespread the Kofer operation has become, but researchers claim they’ve seen variants that have targeted Spanish, Polish, Swiss and Turkish organizations, among others, suggesting that it may be a Euro-centric threat.

The concept of a ransomware crew using constantly changing techniques to alter a malware’s footprint is a relatively new concept.

“If the Kofer variants are in fact coming from a single source, then this can indicate the commoditization of ransomware at a whole new scale,” Uri Sternfeld, Cybereason’s Senior Security Researcher, said Wednesday.

Ransomware has been evolving at a fervent pace this year. Teslacrypt, a strain of ransomware that targets gamers, has surfaced over the last few months, as have new campaigns that spread via malvertising, spam, and exploit kits like Magnitude, RIG, and Angler.

Suggested articles