Content, Content

Ransomware Groups Can Adapt Malware Code to Different Operating Systems Simultaneously, Kaspersky Research Finds

New ransomware gangs have adapted their malware to different computer operating systems, potentially causing even more damage to organizations, reports cybersecurity company Kaspersky.

Kaspersky researchers reveal that the RedAlert and Monster cyberattack groups have struck different operating systems without resorting to multiplatform languages. Kaspersky notes the discovery of “one-day exploits that may be executed by ransomware groups in order to achieve their financial ambitions.”

Cross-platform targets are a favored attack vector of ransomware groups, seeking to damage as many operating systems as possible by adapting their malware code, according to Kaspersky’s research. These ransomware groups have typically used Rust or Golang multiplatform languages such as Luna or BlackCat.

Now, the ransomware groups deploy malware that is not written in a cross-platform language but can still target various operating systems simultaneously.

RedAlert and Monster Jam Operating Systems

RedAlert employs malware written in plain C, as it was detected in Linux sample, Kaspersky found. RedAlert is different from other ransomware groups in that it only accepts payments in Monero cryptocurrency, making the money harder to trace. Kaspersky, which offers an MSP partnership program, notes that Monero is not accepted in every country and by every exchange, so victims might face a problem with paying off the ransom.

Detected in July 2022, the Monster ransomware group applies Delphi, a general-purpose programming language, to write their malware and exploit various operating systems, Kaspersky reports. Interestingly, the attack applies a graphical user interface (GUI), a component that has never been implemented by ransomware groups before.

Moreover, cybercriminals executed ransomware attacks through the command line in an automated way. The Monster ransomware authors included the GUI as an optional command line parameter, according to the sample Kaspersky experts extracted.

Jornt van der Wiel, senior security researcher for Kaspersky’s Global Research and Analysis Team, offered his take on the current state of ransomware attacks:

“We’ve got quite used to the ransomware groups deploying malware written in cross-platform language. However, these days, cybercriminals learned to adjust their malicious code written in plain programming languages for joint attacks, making security specialists elaborate on ways to detect and prevent the ransomware attempts. We also draw attention to the importance of constant reviewing and updating patch policies that are applied by companies.”

U.S. and U.K. Officials Issue Warning to MSPs

The CISA, FBI and U.K. authorities have repeatedly warned MSPs about inbound ransomware attacks.

The latest joint warning, issued in May 2022, included 12 tips to help MSPs reduce ransomware cyberattack threat risks. Separately, Microsoft issued a ransomware cyberattack warning to small businesses and their IT service providers in July 2022.

To learn more about RedAlert and Monster ransomware groups as well as one-day exploits, check out Kaspersky’s full report on Securelist.

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.