RanRan is considered unsophisticated.
RanRan is considered unsophisticated.

Palo Alto's Unit 42 research group has observed a new ransomware campaign that attempts to extort Middle Eastern organizations into posting political statements instead of a monetary payment.

Nicknamed RanRan, the ransomware has targeted a set of Middle Eastern government groups and is separate from the recent Shamoon 2 wiper attacks that have taken place, Unit 42 wrote. These incidents began in the last two months and Palo Alto believes the attacks are originating from a single threat actor.

“The ransom note specifically attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader,” wrote Palo Alto researchers Robert Falcone and Josh Grunzwig.

Christopher Budd, Palo Alto Networks senior manager, cybersecurity and threat intelligence group, told SC Media that the company is not giving out any additional information regarding the content of the messages the hackers are demanding be posted nor which nations have been hit, but so far not have bowed to the demands.

“We are not aware of anyone that has acceded to the demands of the attackers. The fact that we are able to provide a decryptor tool in this case may have helped thwart the effectiveness of the attack,” Budd said.

While politically motivated cyberattacks are nothing new, there is no way to tell if this methodology will gain favor.

“There's no way to know. Politically motivated attacks aren't new, though using ransomware in support of a politically motivated attack is. Whether others pick this up or not will depend on many factors, most of which are human and not technical,” Budd said.

The ransomware itself is not particularly powerful and has several inherent problems, such as, it will only work in situations where certain criteria are met.

·        An encrypted and unencrypted file must be present for a given file size group (0-5MB, 5-30MB, etc). Using these two files, we are able to acquire the RC4 stream cipher.

·        The remaining encrypted files must be of lesser size than the previously obtained stream cipher. If a file is of greater size, it is only able to be partially decrypted.

“The malware itself was found to be unsophisticated, using both a symmetric cipher, as well as publicly available code. Other indicators, such as debug statements found within the malware also provide further evidence to compound this statement,” Unit 42 said.

With that said RanRan does have the ability to fight off attempts to dislodge it from a computer. Falcone and Grunzwig noted the malware continually monitors and closes windows with titles containing “task manager”.