In a ransomware first, researchers have identified a campaign that utilizes the same anti-detection methods as sophisticated APT groups.
While "Operation Kofer," as Cybereason calls the group, relies on commonly used payloads, it changes the way in which the ransomware is delivered and packaged in order to avoid detection. To an untrained eye, the group's self-created variants might seem unrelated, especially if not analyzed together.
Kofer generates a new variant for every target, based off an automatic algorithm, which allows the malware to avoid signature-based detection, as well as sandbox detection.
“Operation Kofer has developed a way to take the existing [ransomware] tools and package them in a way that they can attack and attack and attack, and even sometimes the same victim, with multiple variations,” Uri Sternfeld, senior security researcher at Cybereason, told SCMagazine.com. “Even if [organizations] catch one variant, they won't be able to catch another.”
For example, one variant might use an Adobe PDF document icon in the initial phishing email attached with a .scr file disguised as a resume. Another variant might use the PDF icon, too, but a different file name and ransomware.
The ransomware payload, typically Crypt0L0cker or CryptoWall 3.0, comes packaged with other “junk” resources, as well, including dialog boxes and bitmaps to make files look larger and more innocuous. Some variants will not run in a virtual machine and others might delete the original executable after running.
For now, the attackers are primarily targeting European entities, and infections have been spotted in Spain, Turkey, and Poland, among other countries.
Because Kofer remains mostly hidden from signature-detection, Cybereason suggested monitoring endpoints for the best chance of staving off a ransomware outbreak. Frequent non-local backups were also advised.