An unusual ransomware strain, closely linked with forms used by known threat groups, is being used in targeted attacks against enterprise production servers.
The malware has been dubbed PureLocker, because it's been written in the PureBasic programming language, and is fitted with several features that lend well to evasion. The cyber criminals behind PureLocker are also deploying a Linux variant to attack its targets' Linux infrastructure.
Several factors render PureLocker unconventional, according to a joint analysis by Intezer and IBM X-Force researchers, including the fact PureBasic is uncommon and an unusual choice. It does bring certain advantages for the attackers, though.
Vendors, for example, have difficulty generating reliable detection signatures for PureBasic strains, while the code is also highly portable between different operating systems including Windows, Linux and macOS.
The most popular ransomware strains targeting UK businesses Forget ransomware, a lack of global norms is killing the security industry Ex White House CIO attacks insurance firms for 'fuelling ransomware industry'
Evidence also suggests PureLocker is part of a targeted and multi-stage attack that goes through a series of checks before deeming whether or not the conditions are right to strike.
This covert method includes checking for whether the machine is dated to 2019, and whether admin rights are granted. If the checks fail, the malware will exit without performing any malicious activity in order to hide its functionality.
"PureLocker is a rather unorthodox ransomware," Intezer researcher Michael Kajiloti said. "Instead of trying to infect as many victims as possible, it was designed to conceal its intentions and functionalities unless executed in the intended manner.
"This approach has worked well for the attackers who have managed to successfully use it for targeted attacks, while remaining undetected for several months."
Another unconventional feature of PureLocker is that it uses what's known as an anti-hooking technique to evade detection. Hooking is conventionally used for purposes like debugging, and can also be deployed be malicious code to make themselves invisible. This form of anti-hooking deployed by PureLocker is a known trick rarely used in ransomware.
The malware also doesn't use Windows' built-in cryptographic API functions, instead relying on a crypto library compiled in PureBasic for its specific encryption requirements.
"This type of behavior is not common in ransomware, which typically prefer to infect as many victims as possible in the hopes of gaining as much profit as possible," Kajiloti continued. "Additionally, being a DLL file designed to be executed in a very specific manner reveals this ransomware is a later-stage component of a multi-stage attack."
PureLocker has ties with the "more_eggs" backdoor malware that has been spotted being sold on the dark web by a malware as a service (MaaS) provider. It's also been used by organisations like the Cobalt Gang, FIN6, and other prominent organisations.
The fact that the code of the evasion and anti-analysis functionalities is directly copied from the "more_eggs" backdoor loader allows PureLocker to stay undetected by automated analysis systems.
-
HPE promises “cross pollinated" future for Aruba and JuniperNews Juniper Networks’ Marvis and LEM capabilities will move to Aruba Central, while client profiling and organizational insights will transfer to Mist
-
HPE Discover Barcelona 2025: All the news, updates, and announcements live from BarcelonaNews ITPro is on the ground in Spain for the European addition of HPE Discover – join our rolling coverage of the event
-
15-year-old revealed as key player in Scattered LAPSUS$ HuntersNews 'Rey' says he's trying to leave Scattered LAPSUS$ Hunters and is prepared to cooperate with law enforcement
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
A notorious ransomware group is spreading fake Microsoft Teams ads to snare victimsNews The Rhysida ransomware group is leveraging Trusted Signing from Microsoft to lend plausibility to its activities
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
The number of ransomware groups rockets as new, smaller players emergeNews The good news is that the number of victims remains steady
-
Teens arrested over nursery chain Kido hacknews The ransom attack caused widespread shock when the hackers published children's personal data
