Researchers have discovered a new strain of malware that runs using C# and is currently still in development. According to MalwareHunterTeam, the malware employs an interesting technique that has not been observed in previous ransomware.
In the sample analyzed, the ransomware includes an encrypted, C# string embedded into the dropper that is decrypted, compiled using CSharpCodeProvider class and launched directly into memory. This technique allows the ransomware to slip through undetected by security tools since its malicious function is hidden within the encrypted string.
As Bleeping Computer notes, "it wouldn't be surprising to see the ransomware being distributed at some point."
Once the ransomware is executed, it immediately proceeds to encrypt files on the targeted machine and rename them using the firstname.lastname@example.org_[hex] template. Every encrypted folder includes a ransom note named "HOW DECRIPT FILES.hta" that offers the victim further instructions on what happened to their files and the payment process.
MalwareHunterTeam notes that this ransomware method is still under development, undetectable by most antivirus programs and is likely be distributed eventually.
Experts frequently advise users not to pay the ransom since it is never guaranteed that the attackers will make good on their promise to decrypt and return the victim’s files.Users are suggested to employ other methods of data recovery.