A newly spotted piece of hybrid malware steals copies of victims' files and then encrypts said data, demanding a ransom to unscramble it.
The software nasty, bestowed the moniker Vidar earlier this month, combines the GandCrab ransomware with parts of the Arkei data-harvesting trojan to create a two-pronged attack that, on infected Windows PCs, first copies documents to outside servers, then locks away that personal information with a ransom demand.
According to Malwarebytes researcher Jerome Segura, the infection has been spreading in the wild via malicious advertising being piped into torrent and video streaming sites. The poisoned ads redirect users to a server hosting two exploit kits, Fallout EK and GrandSoft EK, which try to worm their way onto the target's computer.
Should the exploit kit succeed in breaking in, it launches the data-stealing component of the infection. Segura said that the data-slurper, which looks to lift things like payment card numbers, site passwords, and cryptocoin wallets, is easy to mistake for the Arkei malware.
"Upon closer look, while the sample did share a lot of similarities with Arkei (including network events), it was actually a newer and, at the time, not yet publicly described piece of malware now identified as Vidar," Segura explained.
After looking to scrape whatever valuable data it can find from the victim's machine, the Vidar infection then dials up a control server and launches its second phase: the Gandcrab ransomware.
He's not cracked RSA-1024 encryption, he's a very naughty Belarusian ransomware middlemanREAD MORE
If the Vidar infection has been set up to give out the ransomware, the victim's machine will then be locked off and the wallpaper changed to a notification on how to pay in order to get the files unencrypted.
Segura's says the entire process, from loading up the malicious add to stealing the data and encrypting all of the victim's files, takes roughly one minute to complete. The researcher suspects that, in this case, Vidar is using the ransomware as cover for its data-harvesting components.
The idea is that the victim will be so concerned with cleaning up the Gandcrab malware infection that they won't notice the malware was also lifting their passwords, payment card numbers, and unique system configuration information.
"Threat actors can use ransomware for a variety of reasons within their playbook. It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data," Segura said.
"But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted." ®