Novel DJVU ransomware variant emerges

Attacks involving the use of cracked software have been distributing a novel version of the DJVU ransomware dubbed "Xaro" for its use of the .xaro extension for encrypted files, reports The Hacker News. While DJVU ransomware, which descended from STOP ransomware, has been deployed through purportedly legitimate apps and SmokeLoader, attackers behind Xaro have leveraged PrivateLoader masquerading as the free PDF writing software CutePDF to spread the new DJVU variant in a bid to facilitate data exfiltration, according to a Cybereason report. Aside from delivering the Vidar information-stealing malware, Xaro was also discovered to enable the encryption of files and deployment of a ransom note, which detailed a $980 demand that is discounted by 50% by the next 72 hours. "Threat actors are known to favor freeware masquerading as a way to covertly deploy malicious code. The speed and breadth of impact on infected machines should be carefully understood by enterprise networks looking to defend themselves and their data," said Cybereason researcher Ralph Villanueva.