New ransomware campaign encrypts files even if the ransom is paid

Share this…

Nearly 50 Linux and Windows servers have been affected by these attacks

Ransomware attacks became popular (for the worst reasons) in a brief lapse of time. News about attacks such as WannaCryPetya and NotPetya preceded a substantial increase in the number of small campaigns using similar techniques to extort unsuspecting Internet users. Recently, ethical hacking researchers have disclosed the existence of a new malware that continues with NotPetya’s legacy, combining several types of threats in a single attack.

This ethical hacking team, nicknamed Unit 42, named this new malware “Xbash”. It supposedly combines the use of a botnet, ransomware and cryptomining, and is directed to servers running Linux or Windows. The researchers blame an entity called Iron Group for the creation of Xbash, since they have already been associated with other ransomware campaigns. It is believed that the malware was first seen in May 2018.

As commented by specialists in ethical hacking from the International Institute of Cyber Security, ransomware is a form of malware that encrypts the files in the victim’s system, demanding a ransom in exchange for its restoration. These rates are usually paid in Bitcoin, so that the transaction becomes difficult to track, so that the attacker then provides the victims with the tools and methods to restore their files.

The problem is that they don’t always get a satisfactory result. Unit 42 said that Xbash, just like NotPetya, do not actually have restoring file features. The ransom is still demanded, and 48 victims have paid nearly $6k USD in Bitcoin to the attackers so far, but their files remained encrypted. This has led to the thought that the true aim of the Xbash attack is the destruction of files.

Unit 42 also mentioned that the functions of Xbash vary according to the attacked operating system. Linux devices are subject to the ransomware features, and are also used to create malware botnets. Windows devices, on the other hand, are used for cryptomining and the attack’s self spreading. Attacking both operating systems, Xbash operators make sure to generate as much mayhem as possible, regardless of the operating system being attacked.

Xbash also has a function that would allow it to examine and compromise an organization’s intranet. This function is not enabled yet, but Unit 42 warned that, if so, this intranet functionality “could render Xbash even more devastating than it is now”. Internal networks often have less security than external ones, and compromising these networks could allow Xbash to interfere with an organization’s vital services.

Four versions of Xbash have been discovered so far; the researchers say that it is likely that the campaign remains active to date, as the software versions show that Xbash is still in active development. This development could be used to introduce new features, enable the intranet targeting feature already present in the malware or help Xbash to better bypass detection. Active development means that the threat of malware evolves constantly, so organizations are encouraged to keep their defenses up to date, as well as backup sensitive information to better face the worst possible scenario.