An old foe and one of the first ransomware strains is still around and making new victims, but this malware is keeping up with the times and has added a cryptocurrency-mining component that it deploys on carefully selected computers.
Named Rakhni, this ransomware has been around since 2013 and hasn't quite stopped, but merely kept a low profile.
Now, security experts from Kaspersky Lab are reporting about spotting a new Rakhni version that has received an update which allows it to scan a user's computer before infecting it and decide if to deploy the ransomware per-se or download and run a coinminer module from a remote server.
The criteria behind the selection process is simple —if Rakhni finds a folder named Bitcoin on the PC, it runs the ransomware module. The reasoning is unclear, but it may have to do with the ransomware attempting to encrypt a user's wallet private keys and prevent the user from accessing his Bitcoin funds. Another reasoning is that by finding a Bitcoin folder, the Rakhni authors may believe the user is an owner of cryptocurrency funds and the user may not have problems obtaining the funds to pay the ransom after his files are encrypted.
We won't know what the Rakhni authors were thinking when they coded this behavior, but we know that if the ransomware doesn't find folders containing the string Bitcoin, it will retrieve a cryptocurrency mining application from a remote server and install it on the victim's computer, if it deems the computer is powerful enough to handle intense coin-mining operations.
According to Kaspersky experts, this coinminer module will mine cryptocurrencies such as Monero, Monero Original, or Dashcoin.
Right now, this new Rakhni version is distributed via spam emails. Experts say they've seen most new Rakhni infections taking root in countries such as Russia, Kazakhstan, Ukraine, Germany, and India, suggesting some geo-targeting has been used, at least for the spam delivery system.
The spam emails from Rakhni's authors contain malicious file attachments in the form of Word DOCX documents. Opening the DOCX file opens a contained PDF document that in turns tries to run an EXE file. Users should be safe, as long as they don't enable macros (Enable Editing button) in the first DOCX file.
For the technically astute readers looking for a breakdown of the Rakhni binary and its associated IOCs, a Kaspersky Lab technical analysis is available on the company's Securelist blog.