Unconventional PureLocker ransomware attacking enterprise servers discovered by researchers

Researchers at Intezer Labs and IBM X-Force have discovered an unconventional form of ransomware, which is written in PureBasic and being used to attack enterprise servers.

Named PureLocker, this ransomware appears to have links with a Malware-as-a-Service provider that has been used by various notorious threat groups, including FIN6 and Cobalt Gang.

"We have named this ransomware PureLocker because it's written in the PureBasic programming language," Michael Kajiloti, a security researcher at Intezer, wrote in a blog post.

While it is unusual for threat actors to write ransomware in PureBasic, there are some benefits associated with this programming language for the attackers.

First, it very easy to port PureBasic code between Windows, OSX (MacOS) and Linux, which enables attackers to more easily target different platforms.

Second, security firms face difficulty in generating trustworthy detection signatures for PureBasic binaries, helping the malware to evade detection by antivirus security software.

Analysis of PureLocker's code revealed that attackers carefully designed it to evade tracking, hide dubious behaviour in sandbox environments, and masquerade as a Crypto++ cryptographic library. It also uses functions that are usually seen in libraries for music playback.

All these features enable the ransomware to remain undetected by VirusTotal antivirus engines for several weeks.

Researchers currently have no idea how attackers are delivering the ransomware.

The systems that get infected with PureLocker receive a ransom note, dubbed YOUR_FILES.txt, telling victims that they have seven days to pay the ransom, failing which their locked files will become unrecoverable.

Victims are also given an email address to contact the attackers and negotiate a fee for receiving a private key to decrypt their files.

The investigation also uncovered a link between PureLocker ransomware and the loader part of the "more_eggs" backdoor.

The researcher found that they both have COM Server DLL components written in PureBasic, and they also use similar evasion and string encoding/decoding techniques.

The pre-payload stages in both malware are also identical, according to researchers.