Unusual New ‘PureLocker’ Ransomware Is Going After Servers

Researchers at Intezer and IBM X-Force have detected an unconventional form of ransomware that’s being deployed in targeted attacks against enterprise servers. They’re calling it PureLocker because it’s written in the PureBasic programming language. ZDNet reports: It’s unusual for ransomware to be written in PureBasic, but it provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software written in this language. PureBasic is also transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms. “Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization,” Michael Kajiloti, security researcher at Intezer told ZDNet.

There’s currently no figures on the number PureLocker victims, but Intezer and IBM X-Force have confirmed the ransomware campaign is active with the ransomware being offered to attackers ‘as-a-service.’ However, it’s also believed than rather than being offered to anyone who wants it, the service is offered as a bespoke tool, only available to cyber criminal operations which can afford to pay a significant sum in the first place. The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the ‘more_eggs’ backdoor malware. This malware is sold on the dark web by what researchers describe as a ‘veteran’ provider of malicious services. These tools have been used by some of the most prolific cyber criminal groups operating today, including Cobalt Gang and FIN6 — and the ransomware shares code with previous campaigns by these hacking gangs. It indicates the PureLocker is designed for criminals who know what they’re doing and know how to hit a large organization where it hurts.