Cybersecurity specialists recently started noticing a lot of old malware like SmokeLoader, Zacinlo coming back to life with updated variants, most adding crypto miners to their other functions. The good old Rakhni (from 2013) was caught by the Kaspersky Lab experts doing the same. Rakhi’s developers fell for the crypto trend and enhanced the ransomware with a crypto miner and ability to encrypt the virtual wallet’s private keys.
How the new Rakhni is different
If you can remember Rakhni from its early days it was a simple ransomware getting onto the systems, encrypting files and asking for a fee in cryptocurrency. It didn’t really have much success back then and soon the Kaspersky came out with a decryption tool, which stopped hackers from benefiting from the locked victim’s computer for a long time. Currently, the Rakhni virus was noticed to be using different encryptions than before, symmetric, asymmetric, 18 symmetric are the most often.
When it comes to the crypto coins, Rakhni has two brand new approaches. And it’s not surprising when the statistics show that crypto mining Improved 45% over the last year, involving 2.7 million cases worldwide. Anyway, the Rakhni ransomware first it looks for a Bitcoin file directory %AppData%\Bitcoin and any stored information like wallet addresses there. If virus finds it, then launches the ransomware module to begin the encryption and locks it just like other personal files (pics, videos, docs) expecting that the victim will be willing to pay the ransom to get his crypto savings back.
If the user doesn’t have such folder the second feature comes in handy. If you have a powerful machine Rakhni virus connects to a remote crooks’ server and downloads the miner (working principle similar to XMRig) that mines Monero, Monero Original, and Dashcoin. What is most surprising that this ransomware, or now better say trojan, has the ability to pick which option will be most beneficial for it and then act according to the environment.
Where has been Rakhni active
For distribution this time the ransomware picked Slavic regions like Russia, Ukraine, Kazakhstan, not forgetting the easy target Germany and India.
While malspam emails are the most popular way of spreading, Rakhni family virus included the remote technique that does not require any user interaction for the setup completion, yet is not as commonly seen as emails with the .doc Word attachment containing the malware.
Once the malicious file (usually a so-called resume, invoice or financial document) is clicked on, the embedded PDF file opens up asking to enable the Editing feature. If you do then instead of the pdf you initiate virus executable file still camouflaged as an ‘AdobeReaderPlugin.exe’ which ends up installing Rakhni and tricking the user that the plugin could not install. But the malevolent deeds already start in the background.
Is there a solution for Rakhni miner-locker
At the moment Kaspersky for an older version of Rakhni ransomware that you could try. We are not sure if it works for the newest upgraded virus because of the improved ciphers, but it doesn’t hurt to try. As for the miner, it would be best if you get an antivirus or other malware removal tool, such as Spyhunter and take care of any spyware in your PC.
Make sure to read the prevention guide to learn how to avoid Rakhni ransomware as well as stay aware and not to open any suspicious email attachments, moreover check this Science to see if your computer is not being used as a crypto miner.
Source: securelist.com.