Researchers at Cylance removed some of the mystery surrounding the new ransomware AlphaLocker after accessing its configuration files and subsequently pulling up its admin interface.
According to an analysis on Cylance's website, the cybersecurity firm's researchers were able to find acommand and control server actively distributing AlphaLocker, in which the config and support files were not only still present, but also unencrypted and in English. Pulling no punches, the analysis called these “silly oversights,” and said this allowed researchers to get a rare inside glimpse at a ransomware kit's admin panels.
“We wanted to highlight the fact that we had a little bit of extra access to this. We figured out… how to log in and see what the actual control panels look like,” said Jim Walter, senior researcher at SPEAR, Cylance's advanced research arm. “While the servers we had access to didn't have a whole lot of hosts in their database, we were still itching to see what was available” in terms of features, particularly from an attacker's perspective, he added.
While technically a researcher could simply purchase the malware and see what its user controls look like, such measures are often eschewed by white hats because they are considered unethical.
First detected in March, AlphaLocker is one of about 20 to 40 families of ransomware whose origins lie in the EDA2 project, explained Walter. EDA2 was an academic, open-source ransomware exercise that was quickly put to practical use by cybercriminals shortly after the proof of concept was published.
“We hadn't heard a lot about EDA2 derivatives in a couple of months,” said Walter. “It almost seemed like it was calming down at first. We wanted to call attention to the fact that there were still derivatives being used and, if anything, they're on the rise in the marketplace and in the wild.”
Offered on the black market as a turnkey solution, AlphaLocker's key attributes is its relative affordability and flexibility. The ransomware debuted with a price point of $65 in bitcoins — Walter said the price recently jumped to $100 — and buyers have a range of choices in terms admin panel options and customizable features, as they hone in on their ideal distribution strategy.
“You could say that we're starting to see [ransomware] prices go down in general,” including some free or freemium options, said Walter. Still, he noted, AlphaLocker is “pretty cheap compared to some of the other things we've found on the market, which range from a couple hundred to a couple thousand.”
By reverse engineering the exposed files and code — the authors of which appear to be Russian, according to the analysis—Cylance was able to pull up AlphaLocker's login page and control panel. The latter allows attackers to view and manage the status of all infected and encrypted hosts via an intuitive dashboard. Stats and maintenance settings are also accessible.
When executed, the malware locks victims' files with their own unique RSA-encrypted AES keys, and typically modifies the desktop background on the infected computer to announce its presence.