A massive ransomware operation named “Operation Kofer” has hit the wild—with a morphing identity bent on throwing off detection mechanisms.
After examining samples of several Kofer variants sourced from around the world, a team of Cybereason Labs researchers found that they share the same general packaging and delivery techniques, but incorporate random variables in order to avoid static-signature or hash-based detection. This led the team to believe they were all created by the same operational group using an algorithm to mix and match different components, giving ransomware APT-like evasion capabilities.
The analyzed Kofer samples have different hashes and unique characteristics, but share attributes such as fake icons, bogus file names and a distinct packaging pattern that connects what would otherwise appear to be unrelated samples to a single source and operation.
In addition to mechanisms that help them evade detection by sandboxes and dynamic detection tools, Kofer variants also include embellishments that attempt to fool malware researchers.
“The fact that the Kofer variants come from a single source is an indication of the commoditization of ransomware at a whole new scale,” said Uri Sternfeld, senior security researcher at Cybereason. “Operation Kofer appears to be the first “drive-by” ransomware operation to incorporate an APT/nation-state level of complexity, making it an increasing threat to organizations.”
As far as propagation, All of the variants were found and compiled during the last couple of weeks, while new ones are generated every few days, or even hours.
Cybereason believes that Operation Kofer already has a European-wide presence, as the researchers identified variants that targeted Spanish, Polish, Swiss and Turkish organizations, among others.