Ransomware groups can simultaneously adapt malicious code to different operating systems, according to Kaspersky Research

New ransomware gangs have adapted their malware to different computer operating systems, potentially causing even more damage to organizations, reports cybersecurity firm Kaspersky.

Kaspersky researchers reveal that the RedAlert and Monster cyberattack groups hit different operating systems without using cross-platform languages. Kaspersky notes the discovery of “one-day exploits that can be executed by ransomware groups in order to achieve their financial ambitions”.

According to Kaspersky research, cross-platform targets are a prime attack vector for ransomware groups, which seek to damage as many operating systems as possible by adapting their malicious code. These ransomware groups typically used cross-platform Rust or Golang languages ​​such as Luna or BlackCat.

Now, ransomware groups deploy malware that is not written in a cross-platform language, but can still target multiple operating systems simultaneously.

RedAlert and Monster Jam operating systems

RedAlert uses malware written in plain C, as detected in the Linux sample, Kaspersky found. RedAlert is different from other ransomware groups in that it only accepts payments in Monero cryptocurrency, which makes the money harder to trace. Kaspersky, which offers an MSP partner program, notes that Monero is not accepted in all countries and by all exchanges, so victims might find it difficult to pay the ransom.

Detected in July 2022, the Monster ransomware group applies Delphi, a general-purpose programming language, to write its malware and exploit various operating systems, Kaspersky reports. Interestingly, the attack applies a graphical user interface (GUI), a component that has never been implemented by ransomware groups before.

Additionally, cyber criminals have executed ransomware attacks through the command line in an automated manner. Monster ransomware authors included the GUI as an optional command-line parameter, according to the sample extracted by Kaspersky experts.

Jornt van der Wiel, Senior Security Researcher for Kaspersky’s Global Research and Analytics Team, offered his perspective on the current state of ransomware attacks:

“We are quite familiar with ransomware groups that deploy malware written in a cross-platform language. However, these days, cybercriminals have learned to adjust their malicious code written in simple programming languages ​​for joint attacks, forcing security specialists to devise ways to detect and prevent ransomware attempts. We also draw attention to the importance of continuously reviewing and updating companies’ patch policies. »

US and UK authorities issue warning to MSPs

CISA, the FBI, and UK authorities have repeatedly warned MSPs of incoming ransomware attacks.

The latest joint warning, released in May 2022, included 12 tips to help MSPs reduce the risk of a ransomware cyberattack threat. Separately, Microsoft issued a ransomware cyberattack warning to small businesses and their IT service providers in July 2022.

To learn more about the RedAlert and Monster ransomware groups as well as one-day exploits, see Kaspersky’s full report on Securelist.

Comments are closed.