Back with a vengeance. A ransomware variant that’s been around for years rears its head again. But this time, is harder to detect and may cause much more damage to your business.
The malware (malicious software) that I’m talking about was recently upgraded to stealthily penetrate, infect, extort and ransom business-grade networks.
Cybersecurity experts recently detected the malware known as Rakhni on business networks around the globe. First seen in 2013, it has developed into a scary problem for businesses that care at all about their data security.
What makes Rakhni stand out right now?
This attack vector stands out from the crowd because it is especially hard to detect. The virus actually has a mind of its own, autonomously making decisions as to whether it infects and encrypts your network, exploits your network for valuable data or uses your network as a spring board to infect others. Whatever of the 3 paths Rakhni decides to take on your infected network, one thing is certain: you wouldn’t wish Rakhni on your greatest enemy!
First, how are businesses getting infected by Rakhni?
There’s no big change here. The Trojan is distributed through spam emails with malicious attachments. The Trojan is embedded in a PDF document, when opened will launch a malicious downloader. At this point your user will get an error popup, seemingly from Adobe. Appearing to be a legitimate error, most users thus far have had not even a suspicion that the downloaded file was anything more than an attached file.
But once executed (downloaded), the Trojan becomes dangerous.
It starts by checking if the operating system is virtualized, if it is being monitored. It then creates a registry key and checks the registry keys for any sign that your machine is virtual, on a sandbox or is running and analysis tools. It also checks your machine’s process count, computer name, and IP address.
After an exhaustive check of over 200 different items on your machine, the Trojan proceeds to install a root certificate as source of where it will get its resources. It checks your anti-virus on the system and at this point disables Windows Defender if no other antivirus process is running.
First, if you have a machine that has relatively high processing power, can handle supporting multiple applications running at once without affecting performance of any one application, the Trojan will opt to drop a data mining tool on your machine. The mining tool will glean important information from your drives, and potentially from other places on your network that it can access.
The important information it is likely looking for?
Passwords, Social Security Numbers, basically anything that is worth money. This application will appear to be a legitimate process if you were to look at the processes running on your computer, and likely would go undetected even with antivirus running.
The Trojan then proceeds to check if you have specific applications and folders on your machine and others on your network. If present, it will install a cryptor tool which ultimately will encrypt and ransom your data. In fact, it follows a similar protocol to other very potent ransomware viruses, encrypting all of your data held for ransom.
The new part with encryption process here? This cryptor waits until your computer has been idle for at least 2 minutes before it encrypts the machine and spreads to other machines. Basically, it wants to go undetected so that your entire network gets infected before anyone notices (in many instances where ransomware had infected businesses in the past, once detected, people unhooked computers not infected to prevent spreading the infection. But by waiting until a computer is idle before infecting it, many experts believe that the ransom infection may spread far beyond the likes of recent attacks—some of which nearly completely shut down the city of Atlanta.
If your machine lacks the processing power to equip a nearly undetectable data miner and you fail to fit the criterion to encrypt your computer, the Trojan will resort to installing a worm-like application on your machine that will help it propagate across your network and onto other networks you might connect to.
In fact, it has been observed to check each computer to see if the User folder is shared, in an attempt to copy itself to the Startup folder of each computer or user with access. It then creates a batch file to delete all temporary files used during infection (to cover its tracks).
Soo…. Are there ways to protect your network from Rakhni and other malicious cyberattacks?
Probably the easiest way to protect your network from getting attacked is by getting a third party ransomware vulnerability assessment. Identify your risks and prioritize what needs to be done. Not sure where to start? Interested in a ransomware vulnerability assessment? Contact Us TODAY to find out how you might be qualified for a FREE assessment.
