Security experts at Palo Alto’s Unit 42 threat research team have discovered a new strain of ransomware targeting companies in the Middle East.
Although it seems to be fairly rudimentary in nature and littered with errors, the ransomware does contain one noteworthy element. Instead of locking files up until a ransom is paid, the victim is coerced into making a political statement on their website. Specifically, victims are forced to, “create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.”
This element of the ransomware, as well as the known victims, suggests it is a very targeted attack, Palo Alto said. So far it is known to have infected a Middle East government organization, but no further details have been released by Palo Alto.
While politically-motivated cyber-attacks are nothing new, DDoS and network intrusion attacks are often political. For example, Palo Alto researchers say it's the first time they’ve seen this kind of attack using ransomware in this way.
Sources at another security firm confirmed to Infosecurity Magazine that they’ve never seen this kind of ransomware.
Once running on the infected machine, RanRan will display a ransom message that demands the creation of the sub-domain, as well as a .txt file hosted on the sub-domain, along with a message announcing they’ve been hacked and an email address the attacker can use to contact them.
The attackers use a symmetric cipher (RC4) with a re-used key and when certain files are encrypted the originals are not deleted. “This is due to a number of reasons, one of which being that encryption is attempted against system files and other files that are opened by running processes,” the researchers said.
Errors such as this helped Unit 42 to decrypt data contained within the ransomware.
Researchers also found that RanRan contains publicly-available code to enable it to encrypt files. “The reuse of publicly available source code and a mistakes previously outlined suggests this is a rather unsophisticated threat actor,” researchers said.
The ransomware did make a good effort at hiding on the infected system, however. It searched for and closed any windows called ‘task manager’, which made killing the payload more difficult.
It also occasionally searched for and shut programs such as Microsoft Outlook, Exchange, SQL, SQL Writer and Microsoft Exchange Information Store. It is thought this was to stop any disruption to the encryption process due to open handles connected to those programs.
“RanRan represents an interesting shift in tactics by ransomware. Instead of being purely financially motivated, this specific actor takes a hacktivist approach by attempting to force a Middle Eastern government organization to make a negative public statement against their leader,” Unit 42 concluded.