Security researchers with Malware Must Die have been tracking a sophisticated new piece of ransomware that may soon be ready to be released into the wild.
Originally called PrisonLocker but also known as PowerLocker, the malware has been apparently under development for several months and has been promoted in various hacker forums as well as publicly on Pastebin. Written in C/C++, the malware’s author says that it will encrypt virtually every file on infected machines – except .exe, .sys, .dll and other system files – via Blowfish. The uniquely generated Blowfish key is then encrypted with RSA-2048 encryption. The ransomware also encrypts files on shared drives, and detects virtual machine, debugger and sandbox environments.
“You can either approve or deny (resetting the removal clock duration, specified by you during purchase) a payment code, and then unlock/decrypt files on the PC (identified by IP),” according to an announcement of the malware posted on Pastebin.
Calling the malware a natural evolution from CryptoLocker, Bit9 CTO Harry Sverdlove said that he expects more ransomware to be on the horizon in 2014.
“Based on the successes and failures of its predecessors, PrisonLocker appears to use more efficient methods of deterring security analysts and threat researchers, such as virtual machine/sandbox detection and more comprehensive disabling of user interaction,” he said. “The techniques used by these types of ransomware attacks are well documented and not necessarily advanced, but they are unfortunately very effective.”
The malware author claims to be willing to sell the malware for about $100 per license. In an ironic twist, Malware Must Die said they were able to tie the malware’s author to a Twitter account @Wenhsl and the security blog Wenhsl[dot]blogspot.com. In the Twitter profile, the user describes himself as an “infosec/malware researcher.”
Andrew Meyer, vice president of intelligence services at CrowdStrike, speculated that the person may have a foot in two worlds – the white hat world and the black hat world.
“He’s probably seeing that being a legitimate security researcher was not as financially-motivating or beneficial as he hoped it might have been, so maybe he’s starting to look into other options,” he said.
He added that posting details of the malware to a public forum was not a smart idea.
“This is not somebody…I would say was maybe as good a criminal as he was a coder perhaps because his operational security was just terrible,” he said.
Malware Must Die urged law enforcement to take a look at the information that has been gathered on the case and the suspect.
“Most malware authors are no different than everyone else – they follow trends that have proven to be successful,” said Sverdlove. “CryptoLocker has garnered a lot of press lately and has been very lucrative for the criminals. That’s a two-for-one win: the attackers get both money and glory, appealing to both criminals and hackers alike. It is inevitable that copycats and variants will follow. CryptoLocker has shown everyone how effective and profitable [ransomware] can be without much effort.”