Researchers at Malwarebyte Labs are taken with what they deem a “beautifully designed GUI,” but there’s no doubting the seriousness of a new ransomware.
Maktub Locker targets victim computers via a spam campaign disguised as a terms-of-service update, according to a post on the Malwarebytes blog. The email carries an attachment whose name spoofs that of an actual document and it includes a document-like icon. Calling it “an interesting trick,” the ransomware does, in fact, display a document, a fake TOS update in .rtf format. But, while victims take a look, the malicious program begins its work in the background and encrypts the user’s files.
The code is executed to evade tools intended to recognize malicious behavior. It is then overwritten by fresh code to further disguise itself.
Maktub Locker has clearly been written by seasoned pros, the researchers conclude, likely a team consisting of people with various skills.