Feature or Flaw: The Strange Case of the AnteFrigus Ransomware
- Researchers have spotted a new ransomware strain dubbed AnteFrigus that displays unusual characteristic traits.
- It targets only the drives that are associated with removable devices and mapped network drives.
A new Hookads malvertising campaign has been discovered to be distributing the AnteFrigus ransomware.
What is unusual?
Most ransomware target the C: drive on target Windows devices, but not AnteFrigus. Instead, it goes after the drives associated with removable devices and mapped network drives.
- This is unusual as users save documents on their local drives.
- It targets only the D:, E:, F:, G:, H:, and I: drives and does not encrypt any files in the C:.
- However, security experts speculate that this may be a bug and not the intended behavior.
- They also suggest that this ransomware may still be in the development or testing phase.
“This malware does not look super sophisticated and contained a plethora of debugging symbols, source references, and test/debug location,” security researcher Vitali Kremez told Bleeping Computer.
What we know
This ransomware is distributed by malvertising campaigns that redirect potential victims to the RIG exploit kit.
- This exploit kit looks for Internet Explorer vulnerabilities to exploit and install a malicious payload.
- The ransomware was found to append a random extension to the encrypted files.
- The ransom notes displayed a link to a Tor payment site that contained the ransom amount and the bitcoin address to send it to.
- The C:\qweasd\test.txt file is also created, which may be used as a debug or lock file.
What we don’t know
Because this is a new ransomware, its weaknesses are not yet known. Researchers will have to uncover the malware’s weaknesses to develop a decryptor.