Security researchers have come across and analyzed an oddly behaving ransomware variant that bypasses the victim’s C drive instead targeting the device’s other drives.
An analyst who tweets under Mol69 and Bleeping Computer took a look at the odd behavior presented by AnteFrigus ransomware. Instead of going after the one place where most people store their most important data, the C drive, AnteFrigus leaves that area alone to focus the drives normally connected to network storage and removable devices, Bleeping Computer CEO Lawrence Abrams said.
The ransomware is distributed with the RIG exploit kit using a new Hookads malvertising campaign.
Once installed AnteFrigus searches out the D, E, F, G, H, and I drives. And even on these drives the malware is picky ignoring a slew of file types, including, cmd, mpa and dll. Once it does gain access to those drives it will encrypt the files it desires.
At this point a very poorly written or translated ransom note appears giving instructions on how to receive a decryption key.
“This ransom note will contain a link to the Tor payment site, currently located at https://yboa7nidpv5jdtumgfm4fmmvju3ccxlleut2xvzgn5uqlbjd5n7p3kid.onion/, which will list the current ransom amount and a bitcoin address to send the payment to. In our test, the ransom is $1,995 USD and becomes $3,990 after a little over 4 days as shown below,” Abrans wrote.
One theory put forth by Bleeping Computer to explain this behavior is the attackers are only interested in hitting devices connected to a business and thus most likely to use the secondary drives.
However, Abrams brought in ethical hacker Vitali Kremez to take a look at the ransomware and he concluded the C drive issue was due to the ransomware being defective or still under development.