Monero Ransomware: New Trend or Test for Delivery Mechanism?

Delaware, USA – January 24, 2018 – The popularity of bitcoin among cybercriminals continues to fall, and forensic firm Chainalysis says that the use of bitcoin in the DarkNet fell from 30% to 1%. More and more adversaries switch to other crypto-currencies to make it more challenging to track them. Researchers from Fortinet discovered an unusual version of Ransomware, which demands payment via Monero and has some additional functions. The virus is spread through forums under the guise of advertising a fake cryptocurrency – SpriteCoin. If the victim downloads and executes a malicious file, Monero Ransomware steals their Firefox and Chrome credentials and also encrypts files. Its command and control server is hidden in the Tor network, and communications with it occur through the proxy hxxp://jmqapf3nflatei35[.] Onion.lnk/*. If the victim pays a ransom, Monero Ransomware installs a backdoor with extensive functionality on the infected system.

Attackers demand a relatively small ransom payment – 0.3 Monero. Perhaps such a low sum is tied to the subsequent installation of a backdoor and now attackers only test the method of delivering malware to corporate networks. Last year research showed that 59% of employees paid ransom for decrypting data.

Ransomware Hunter use case will alert SIEM administrators about threats related to data encryption and identify the most vulnerable assets. Also, you can use DetectTor to monitor connections to the Tor network in your organization and the activity of various malware.