Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

This devious new ransomware encrypts itself to avoid your antivirus

Ransomware attack on a computer

A new ransomware variant has been detected that is able to evade detection by encrypting itself.

Cybersecurity researchers from risk and financial advisory solutions firm Kroll recently discovered a variant of the ransomware known as Cactus. 

Besides the usual operation - encrypting files and leaving behind a ransom note - the malware also has a unique way to avoid getting detected by antivirus programs and endpoint security solutions. 

Hard to spot

As reported by BleepingComputer, the ransomware has three main modes of execution, one of which is encryption. Once the payload is deployed, the attackers would provide the malware a unique AES key only they know. This key is used to decrypt the ransomware’s configuration file and the public RSA key they need to encrypt everything else on the target endpoint. The key comes as a HEX string hardcoded in the encryptor’s binary. 

By decoding the HEX string, the attackers obtain encrypted data which they can read if they have the AES key. 

“CACTUS essentially encrypts itself, making it harder to detect and helping it evade antivirus and network monitoring tools,” Laurie Iacono, Associate Managing Director for Cyber Risk at Kroll, told Bleeping Computer.

What also makes Cactus interesting is that it has multiple modes of encryption, including a quick mode. If the operators decide to run both modes one after the other, the files will be encrypted twice and will get two file extensions. 

Very little is known about the Cactus ransomware operation. We don’t know if any businesses are currently being attacked, or are negotiating a payout. Although unconfirmed, some reports claim the group asks for “millions” when demanding payouts. We also don’t know how successful the group was in the past. 

As usual, the best way to protect against ransomware is to patch both software and hardware regularly, have cybersecurity solutions set up, and train your workforce on the dangers of phishing and social engineering attacks.

Via: BleepingComputer

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.