Kaspersky identifies new ransominer
October 2020 by Kaspersky
Kaspersky researchers have announced the detection of a new infection attempt, using common Trojans which allows criminals to access the victims network and spread ransomware to other network nodes.
Wildlife species: Kaspersky identifies new ransominer
In the late summer, Kaspersky researchers noticed a rather curious attempt to infect users’ machines. A common Trojan (known by the company’s solutions as Trojan.Win32.Generic) was run to open remote desktop protocol (RDP) on the victim’s computer. Next, the ransomware Trojan-Ransom.Win32.Crusis started on the same machine, followed by the loader of the XMRig miner, which then set about mining Monero cryptocurrency. As a result, the computer would already start earning money for the cybercriminals at the same time the user saw the ransom note. In addition, RDP access allowed the attackers to manually study the victim’s network and, if desired, spread the ransomware to other network nodes.
A closer inspection found that in August 2020 alone there were more than 5,000 attempts to install XMRig on users’ computers, so researchers decided to investigate and examine how the miner was being distributed. As a result, experts have found two parties responsible for its distribution. The first one turned out to be the Prometei malware family (which has been known since 2016, but spotted together with XMRig for the first time in February 2020), while the second was from a new family called Cliptomaner. The latter, detected in September 2020, is very similar to the others. Like them, it not only mines cryptocurrency but can also substitute cryptowallet addresses in the clipboard.
Kaspersky products are capable of successfully detecting and blocking the threat.
“While well-known groups make money from data theft and ransomware (for example, Maze, which is suspected of the recent attacks on SK Hynix and LG Electronics), many malicious users still want to have a high-profile impact through their cybercrime. These users are often beginners and tend to use publicly available ransomware, targeting ordinary users instead of the corporate sector. As a result, intriguing experiments can be found in the wild,” comments Anton Kuzmenko, security expert at Kaspersky.