New AgeLocker Ransomware Abuses Genuine ‘Age’ Encryption Tool

Some clever hackers have been attempting to use legitimate software tools to target their victims, thereby leaving fewer clues and chances for security defenses to identify the threat. Recently, some hackers were observed doing the same, using a Google internal tool as an attack vector.

What happened

Researchers found a new ransomware named ‘AgeLocker’, that was using the genuine 'Age' encryption tool created by a Google employee, to encrypt the victim's files.
  • Earlier this month, a user posted on BleepingComputer forums, providing the details about the new ransomware ‘AgeLoker’.
  • This ransomware adds a text header that starts with the URL 'age-encryption.org' to each file. This URL points to a GitHub repository for an encryption utility called 'Age', which is believed to be used by attackers to encrypt victim's files.
  • Instead of creating ransom notes on the encrypted system, the threat actors emailed the ransom demand to the victims. They added an encrypted devices list and payment instructions in the ransom note.

A noteworthy pattern

Hackers using this tool for malicious purposes is a repeated behavior since a similar older tool was also misused by several hacker groups for the same purpose.
  • According to the official manual, the development of the tool ‘Age’ began in May 2019, and it provided an option to encrypt to SSH keys. This tool was developed as a replacement for the older encryption tool, ‘GPG’.
  • GPG was also abused by hacker groups to lock up victims' files and hold them hostage for ransom.
  • A few notable malware that were found using GPG for file encryption include the Qwerty ransomware (2018), VaultCrypt (2015), and KeyBTC (2014).

Hackers leveraging genuine encryption tools

There have been several incidents in the past when hackers misused other genuine tools in their ransomware attacks, utilizing them to encrypt the victim’s data and asking for a ransom. 
  • In March 2020, the TA505 group was observed targeting businesses in Germany via their human resources executives.
  • They were using widely available legitimate software tools to mask their movements, including the GPG encryption tool and other tools.