Ransomware Groups Can Adapt Malware Code to Different Operating Systems Simultaneously, Kaspersky Research Finds
New ransomware gangs have adapted their malware to different computer operating systems, potentially causing even more damage to organizations, reports cybersecurity company Kaspersky.
Kaspersky researchers reveal that the RedAlert and Monster cyberattack groups have struck different operating systems without resorting to multiplatform languages. Kaspersky notes the discovery of “one-day exploits that may be executed by ransomware groups in order to achieve their financial ambitions.”
Cross-platform targets are a favored attack vector of ransomware groups, seeking to damage as many operating systems as possible by adapting their malware code, according to Kaspersky’s research. These ransomware groups have typically used Rust or Golang multiplatform languages such as Luna or BlackCat.
Now, the ransomware groups deploy malware that is not written in a cross-platform language but can still target various operating systems simultaneously.
RedAlert and Monster Jam Operating Systems
RedAlert employs malware written in plain C, as it was detected in Linux sample, Kaspersky found. RedAlert is different from other ransomware groups in that it only accepts payments in Monero cryptocurrency, making the money harder to trace. Kaspersky, which offers an MSP partnership program, notes that Monero is not accepted in every country and by every exchange, so victims might face a problem with paying off the ransom.
Detected in July 2022, the Monster ransomware group applies Delphi, a general-purpose programming language, to write their malware and exploit various operating systems, Kaspersky reports. Interestingly, the attack applies a graphical user interface (GUI), a component that has never been implemented by ransomware groups before.
Moreover, cybercriminals executed ransomware attacks through the command line in an automated way. The Monster ransomware authors included the GUI as an optional command line parameter, according to the sample Kaspersky experts extracted.
Jornt van der Wiel, senior security researcher for Kaspersky’s Global Research and Analysis Team, offered his take on the current state of ransomware attacks:
“We’ve got quite used to the ransomware groups deploying malware written in cross-platform language. However, these days, cybercriminals learned to adjust their malicious code written in plain programming languages for joint attacks, making security specialists elaborate on ways to detect and prevent the ransomware attempts. We also draw attention to the importance of constant reviewing and updating patch policies that are applied by companies.”
U.S. and U.K. Officials Issue Warning to MSPs
The CISA, FBI and U.K. authorities have repeatedly warned MSPs about inbound ransomware attacks.
The latest joint warning, issued in May 2022, included 12 tips to help MSPs reduce ransomware cyberattack threat risks. Separately, Microsoft issued a ransomware cyberattack warning to small businesses and their IT service providers in July 2022.
To learn more about RedAlert and Monster ransomware groups as well as one-day exploits, check out Kaspersky’s full report on Securelist.