PureLocker is a rare cross-OS ransomware infection and it’s evaded antivirus detection for months before being described this week, on the 12th of November, by the company Intezer together with IMB X-Force. It’s interesting because it could be converted to work on MacOS.
Portable PureLocker
Like most of the ransomware viruses that we hear about, PureLocker’s operators target businesses and extort them of exorbitant amounts of money, although PureLocker has been acting in secret so far.
Also like most ransomware, PureLocker targets Windows computers and servers. However, it has an advantage – PureLocker is written in the PureBasic language and that makes porting this ransomware to Windows, OS-X, or Linux relatively easy. Indeed, Linux variants of PureLocker are already in use.
Linux is unpopular among individual users (only around 2% of desktops and laptops use it), but this operating system is what’s running supercomputers, databases, and web servers (over 90%). Linux is an essential part of the internet, so extortionists probably see it as an attractive target. Imagine if your cloud software or storage provider was attacked – tat could cause unimaginable damage. Of course, PureLocker isn’t the only Linux ransomware, there’s also Lilocked, which has already disrupted the functioning of some websites.
So with Linux being a target and OS-X being a cousin of Linux, PureLocker can be made to run on Macs, not to mention the Android and Chrome operating systems. And this is why PureLocker being reported all over the Web as a potential threat to Mac users. It’s not a threat right now, it doesn’t seem to be aimed at anyone but big businesses, but it’s good to keep an eye on ransomware developments. After all, this is some of the worst malware out there.
How PureLocker works
PureLocker evaded detection for a long time while still successfully extorting their chosen victims. This ransomware recognizes when it’s being analyzed and hides its malicious features, making it difficult for researchers to study it. Also, PureLocker didn’t try to spread and infect as many victims as possible, which is unusual. Intezer even called PureLocker “rather unorthodox” for its secrecy.
Still, PureLocker works mostly like any ransomware virus:
- It uses hybrid encryption to get the best speed and security while corrupting the files.
- It changes the names of the locked files to add “.CR1” as a second extension.
- And PureLocker leaves behind a ransom note (“YOUR_FILES.txt”) telling the victim to write to a given email address.
YOUR_FILES.txt contents:
#CR1
Alll your files have been encrypted using: AES-256-CBC + RSA-4096.
Shadows copies were removed, original files were overwritten, renamed and deleted using safe methods.
Recovery is not possible without own RSA-4096 private key.Only we can decrypt your files!
…
This ransom note refers to removing shadow copies, which are data used by Windows to record changes made to files. It allows reversing changes to files and could be used to undo decryption if PureLocker did not delete them.
PureLocker’s ransom note also talks about safely deleting and overwriting files, making recovery impossible. This is probably a reference to how some ransomware victims are able to use forensic tools to restore deleted data from their hard drives. PureLocker promises that that won’t work.
PureLocker ransomware distribution
PureLocker is reported to be ransomware as a service (RaaS). That’s scary – it means that multiple groups are distributing this malware. It makes it difficult to predict how the ransomware will infect computers and how to avoid it. Other RaaS infections, like Buran ransomware, show the breadth of infection vectors that one virus can use:
- Phishing emails
- Torrent sites
- Remote Desktop connection hacking
- Exploit kits
- Trojans and backdoors
PureLocker’s attacks against worthy targets probably involve many stages, for example, phishing for credentials, then infiltrating the system through Remote Desktop and planting malware manually. It might involve stealing information, too.
This all can be overwhelming, but the usual advice still applies: PureLocker can’t do anything against properly set up and protected file backups.
Being on the lookout for phishing emails is also important for everyone, as that’s a popular distribution method for some of the most dangerous malware.
Installing security updates is of huge importance, failing to do that condemned many of the infamous WannaCry’s victims.
Securing our browsing process is especially to individual users, who are most vulnerable to malicious ads.
Finally, using a reliable antivirus tool is always helpful.