Cybereason Labs was able to uncover a batch of ransomware programs with similar evasive traits that appear to have been created by the same group of authors. All contain means of avoiding detection, sidestepping the usual sandbox and static signature methods of exposure.
The batch of programs were all delivered as fake PDF files. The user is required to double click on the file in order to activate the malware. The main method of delivery is probably via targeted email campaigns.
It was found that each has a unique characteristic and hash which makes them more difficult to detect. Many refuse to run from within a virtual machine.
CryptoWall 3.0 and Crypt0L0cker were both detected with destruction of shadow copies to prevent possibility of file recovery.
The researchers were able to establish that the Kofer variants look for C:\myapp.exe, finding such a file stops the programs from running.
0 comments:
Post a Comment