Threat Management

Spartacus ransomware shows sparse features can still fight hard

A new ransomware named after a gladiator is demonstrating how even malware with sparse features can get still get wreak havoc on unsuspecting users.

Dubbed “Spartacus”, Malwarebytes researchers described the malware as a relatively straight forward sample that uses similar techniques and code as ShiOne, Blackheart, and Satyr ransomware variants, according to an Aprils 30 blog post.

“In the case of Satyr and Blackheart, the code is nearly identical, with Spartacus following almost the same code flow with some modifications,” Malwarebytes Researchers Vasilios Hioureas said in the post. “If I were to make an assumption, I would say they are either the same actor or the actors for each of them used the same code. But again, there are no facts to prove this as of now.”

At the moment, there aren't any clear relationships between the malware samples and the threat actors, however, the variants share similar functionality and are basic in form. Researchers noted the string of.NET ransomware popping up, all of which were more or less the same or similar and said Spartacus was an easy form of ransomware that criminals are creating since it does not take much time or thought to make.

The malware starts by generating a unique encryption key for each victim done with the Rijndael algorithm version of AES, then saves the key which is used t encrypt every file. This means that two identical files will have the same cipher-text, researchers said.

Spartacus uses the CheckRunProgram function to make sure there is only one instance of this malware running on the system and operates purely offline with no network communications back to the author or any C2 server. The malware author doesn't know who is infected until the victim emails them with their personal ID which is the AES key.

Unfortunately, there are no decryptors available for the malware as the decryption tool is likely embedded in the AES key and is unique to each victim.

Researchers said the only possible way to counter an infection if they realize they are being hit, is to perform a process memory dump in which there may be a chance of extracting the keys from memory. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.