Feature or Flaw: The Strange Case of the AnteFrigus Ransomware

• Researchers have spotted a new ransomware strain dubbed AnteFrigus that displays unusual characteristic traits.
• It targets only the drives that are associated with removable devices and mapped network drives.

A new Hookads malvertising campaign has been discovered to be distributing the AnteFrigus ransomware.

What is unusual?

Most ransomware target the C: drive on target Windows devices, but not AnteFrigus. Instead, it goes after the drives associated with removable devices and mapped network drives.

• This is unusual as users save documents on their local drives.
• It targets only the D:, E:, F:, G:, H:, and I: drives and does not encrypt any files in the C:.
• However, security experts speculate that this may be a bug and not the intended behavior.
• They also suggest that this ransomware may still be in the development or testing phase.

“This malware does not look super sophisticated and contained a plethora of debugging symbols, source references, and test/debug location,” security researcher Vitali Kremez told Bleeping Computer.

What we know

This ransomware is distributed by malvertising campaigns that redirect potential victims to the RIG exploit kit.

• This exploit kit looks for Internet Explorer vulnerabilities to exploit and install a malicious payload.
• The ransomware was found to append a random extension to the encrypted files.
• The ransom notes displayed a link to a Tor payment site that contained the ransom amount and the bitcoin address to send it to.
• The C:\qweasd\test.txt file is also created, which may be used as a debug or lock file.

What we don’t know

Because this is a new ransomware, its weaknesses are not yet known. Researchers will have to uncover the malware’s weaknesses to develop a decryptor.