A developer published via GitHub a proof-of-concept (POC) ransomware program featuring strong compatibility with the post-exploitation tool Cobalt Strike, open-source coding, and extensionless encryption.
The author claims the program, dubbed Povlsomware, is designed to be an educational tool for testing anti-virus protections; however, it’s possible that cybercriminals could adopt and modify the code in order to launch their own attacks, warns Trend Micro, which detailed the ransomware in a new company blog post this week.
The good news is that Trend Micro researchers have not seen Povlsomware discussed among members of dark web cybercriminal discussion forums. And at least some experts said it’s unlikely the program will gain significant traction among prominent cybercriminal players due to a lack of malware support infrastructure.
Such assessments are important as the threat intelligence and cyber research community track the evolution and popularity of various malware programs in order to stay on top of the latest trends. But this news also leads to some interesting questions: What are the motivations for posting a POC ransomware program online? And when a new POC malware emerges, what are the factors that ultimately lead it to become successful or disappear?
The nature of the malware
“Povlsomware is a Ransomware Proof-of-Concept created as a ‘secure’ way to test anti-virus vendors claims of ‘Ransomware Protection,’ states developer “PovlTekstTV” on his or her GitHub page. “Povlsomware does not destroy the system nor does it have any way of spreading to any network-connected computer and/or removable devices.”
Despite this disclaimer, Trend Micro expressed concern, noting some of the malware’s alluring features. First and foremost, it works well with the post-exploitation tool Cobalt Strike, which enables the program to perform in-memory loading and execution.
Without tools like Cobalt Strike, “security products will likely block such attacks and even restoration of encrypted files is possible, bringing the impact to somewhat on the low side, but only with the default code by itself,” said Don Ovid Ladores, blog post author and researcher at Trend Micro, in an interview with SC Media. But with Cobalt Strike, the potential of damage becomes increasingly likely.
Another interesting feature: the ransomware doesn’t append extensions to the files it encrypts. Robert McArdle, director of forward-looking threat research for Trend Micro, told SC Media this makes it harder for victims to ascertain what malware attacked them and respond accordingly.
“This isn't the first time we've encountered this sort of ‘educational’ ransomware that just happens to have very similar behavior to real ransomware,” said Ladores. “Even if it was built with good intentions, by making the tool and source code available, it’s available to other would-be attackers as well.”
“Tweaking the code would not be too difficult, which definitely puts it among the top of the list on what to watch out for,” added Ladores.
Experts vary on whether the POC code had a shot of catching on and evolving in a genuine threat.
“Assuming that Povlsomware is an effective and efficient piece of code, I would suspect it will gain quite a bit of popularity across the cybercrime landscape – first among the less advanced group of cybercriminals who don’t have the capability to write their own or don’t have the resources to buy customer code," said Brandon Hoffman, chief information security officer at Netenrich. And more advanced users could also take interest "because they now have to spend much less effort creating their own malware by simply customizing Povlsomware.”
Even certain nation-state actors are known to leverage publicly available code in order to jumpstart a new campaign, Hoffman added – as well as to cloud researchers' attribution efforts.
But other observers are not convinced Povlsomware represents the next big evolution in the ransomware space. The developer downplayed concerns noted in the trend Micro piece in a GitHub page update: “I believe they overestimated the effort it took to make it Cobalt-Strike integrated, giving me way too much credit.”
“There is nothing uniquely dangerous in this ransomware POC… as the author mentioned himself,” commented Anya Vysotskaya, intel analyst at Flashpoint, who said the most likely demographic to use the code are script kiddies who have minimal coding experience and are looking for an easy way to inflict damage.
As far as broader adoption: “The ransomware that he wrote lacks sophistication that other modern ransomware has and therefore is not suitable for commercial use, since there is a plethora of ransomware for sale within cybercrime markets,” said Vysotskaya, noting that Povlsomware’s decryption password is hard-coded. “Flashpoint analysts assess with moderate confidence that this POC will not be widely used or sold based on its lack of sophistication and the fact that the code is publicly available, therefore making it not very challenging to decrypt files back.”
Even Ladores’ colleague expressed doubts about the ransomware’s future.
“Even though this tool is free, its unlikely to garner much interest from actual cybercriminals,” said McArdle. “The reason is simple – it has all the features you would need expect from a ransomware, but none of the supports for a cybercrime business.”
“Today’s criminals demand control panels, affiliate model supports, management interfaces, ransom payment processing, data leak automation and more,” McArdle continued. “Ransomware is so lucrative today for criminals, and they have so many competing ransomware-as-a-service vendors to choose from that a free ransomware – even a novel one – simply does not make the cut. Reliable return on investment is key.”
Getting in the developer’s headspace
But why make the ransomware accessible to all? Experts weighed in with their theories. Some think the developer might be trying to gain a reputation among his or her peers, establishing themselves as a security thought leader. Other theories are darker and assume malice.
“The developer's intentions are unclear, but many malware developers with malicious intentions claim that their tools are not meant for malicious purposes as a disclaimer, perhaps in the hopes of shielding themselves from future legal actions or other consequences,” said Paul Prudhomme, cyber threat intelligence advisor at IntSights. “If the developer does not appear to be benefiting financially from selling or renting access to it, perhaps he or she hoped to bolster their stature or reputation by releasing it.”
Anya Vysotskaya, intel analyst at Flashpoint, had a similar theory. “The author PovlTekstTV has been active on various encrypted chat applications like discord, in hacking-themed chat servers since 2019 and has been participating in various challenges,” she said. “Based on his other online activities, the author is very interested in establishing a reputation as a security researcher, penetration tester and bounty hunter.”
Indeed, “The developer has also developed several other tools that can be of use for security research or pen-testing for example,” affirmed Trend Micro.
Perhaps the author felt that the good in releasing such a tool outweighs the risk. Or, as Vysotskaya suggested, perhaps he or she hasn’t entirely thought through the dangers.
“Since the author seems to be somewhat new in the field they might now be aware of negative implications of public ransomware code,” she said. “Although this would not be the first time POC of malware/ransomware has been published publicly and there are plenty of public examples in online illicit communities as well.”
Financial gain seems less likely of a factor, as the code was not marketed for sale on a cybercriminal forum. “Posting this ransomware as a POC would defy the purpose and expose the code, so no actor would do it if they intend to actually make money on the ransomware sale.”
But Hoffman said that in some cases when malicious code is released for free, the developer is playing the long game.
“Perhaps the author is simply trying to gain notoriety in the malware community as writing useful and powerful code. If that’s the case, there is likely a paid for version in the cybercrime underground or a paid for version coming,” said Hoffman. “Many times we see actors offer a piece of code for cheap and then offer additional customization services that cost a lot more money.”
There are other possibilities as well. Perhaps the developer secretly embedded additional malware into the code so that he or she or later “gain subsequent access to victims if used successfully by anybody. In this case the author is essentially seeding the community with victims for himself/herself by unwitting users of this tool,” Hoffman continued.
Tracking the traction of new code
Regardless of whether Povlsomware catches on as an educational tool, is modified into legitimate ransomware, or disappears into the ether, it’s helpful to understand how the threat intelligence of tracks the evolution of new POC code, and why some gains credence and popularity while others don’t.
“The process for tracking new variants of malware and ransomware have several different factors and methods,” said Hoffman. “One is simply monitoring the communications channels of threat actors and understanding what they are sharing and when. Another more tactical method is using technology systems to track live infections and activity across endpoints. This would include things like honeypots, deception technology, and other live capture systems.”
Likewise, Vysotskaya said that Flashpoint tracks emerging ransomware by monitoring chats and purchases in underground forums, while following new developments in the ransomware landscape.
Using these methods, researchers can also track a malware’s popularity. Obviously an increase in infections suggests a rise in that program’s popularity. “The more human-based approach is seeing criminal groups organize around a tool or a piece of code, and include that code in ransomware-as-a-service offerings, [and] build it into exploit kits.” When that happens, threat intelligence specialists try to “keep an eye on the volume of people asking questions and possibly performing transactions on this code.”
But this can be much harder to do when the programming is open-source and advanced users begin customizing the code. “If that new version has enough material changes to the code it may appear as a totally different piece of malware or simply a variant,” said Hoffman. “There are technical processes that help with this, but it’s not always foolproof.”
As for whether a ransomware becomes popular or not: it often comes down to its usability, the features is offers, and how well it complements the toolkits that malicious actors are already using.
For now, however, the ransomware remains well under the radar of the cybercriminal community.
“Since there is not yet any indication of this malware being used in actual attacks in the wild, it would probably be a low priority for threat intelligence coverage until attackers actually start using it in attacks,” said Prudhomme.