What Is “Fake Ransomware”?
The term “fake ransomware” might conjure up some feelings of relief. After all, if the ransomware is fake, then it must not have encrypted files, right? However, the term has been used to refer to a few different variants of a true ransomware attack. Firstly, it has been used to describe ransomware that does not encrypt files, but instead attempts to trick the victim into thinking their files are encrypted while demanding a payment to recover them. Secondly, the term has also been used to refer to ransomware that does in fact encrypt your files, but does not offer a decryption key if ransom is paid. This is much more nefarious and destructive than the first type; a real sucker punch. And most recently, the term has been used to refer to a case where ransomware was deployed by a company against itself to cover up fraudulent financial activity.
Where Has Fake Ransomware Been Observed?
The first mention of fake ransomware I could dig up dates back to mid 2016 and describes a type of malware that claims to have encrypted your files, but they have actually only been renamed or had a file extension added to them such that your OS does not recognize their type and cannot easily open them.
Since this mention of fake ransomware does back to the early days of the ransomware wave that has since become an epidemic, it’s possible that less technically savvy malware developers were simply trying to take advantage of the early ransomware scare. Perhaps they didn’t have the skillet to build software that can reliably import encryption keys and encrypt documents. However, we now know that those savvy threat actors have jumped into the scene and developed ransomware strains that continue to elude threat hunters and top security companies into 2022.
Two Main Types of “Fake Ransomware”
The other two main strains of discussion about fake ransomware include references to firstly, a campaign against WordPress sites that uses a plugin to display a landing page that notifies website visitors that the site’s files have been encrypted and demands payment, and secondly to a 2022 campaign against Ukrainian critical infrastructure that does encrypt files, but offers no decryption solution once the ransom is paid.
The WordPress Version
In late 2021 ThreatPost published a blog article about a form of fake ransomware affecting WordPress installations. The malware replaces an infected sites’s landing page with a message demanding 0.1 Bitcoin (~ $6000 USD) to restore the website’s files. However, the malware didn’t actually encrypt or delete any files on the web-server and the malware is easily remediated by removing the malicious plugin and making a quick fix to the database, since post data was not deleted, only marked as unpublished. WordPress security company Securi has a blog post with instructions on how to remediate this infection.
The Version Targeting Ukraine
Bleeping computer published an article in January 2022 describing a strain of malware that replaces a Windows system’s master boot record (MBR) in order to prevent the OS from loading, and while simultaneously destroying files with a file extension on a list of about 200 document types.
Microsoft has so far claimed that this strain of destructive malware cannot be directly linked to any known APT group, and has assigned the code DEV-0586 to the group responsible for the attacks. The attacks are part of a greater cyber-attack campaign thought to be Russian attempts to disrupt Ukrainian government and businesses. The series of attacks resulted in the successful take-down of 15 Ukrainian public institutions and government agencies.
The malware operates in 3 stages, first by replacing the MBR to cause the system to boot up to a ransomware notice instead of the installed operating system, secondly by downloading a malicious file with a .jpg extension that actually contains executable code, and finally by executing the payload in the fake image file to destroy data on the system.
Here are links to the information about IOC related to this strain of fake malware on Virus Total:
IOCs
Stage1.exe:
a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 [VirusTotal]
Stage2.exe:
dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 [VirusTotal]
Tbopbh.jpg (third stage):
923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6 [VirusTotal]
Conclusion
So, the term “fake ransomware” certainly doesn’t provide any comfort in itself. However, deeper analysis of a ransomware attack may uncover that the attack is less severe, and your data can easily be recovered, but on the other hand, it may reveal that your system files are hopelessly corrupted and only have your backups to rely on.
At this point in the game, it should be obvious to any cyber-security architects that a solid backup strategy is the best defence against a successful ransomware attack, both because the the amount of ransom demanded by cyber-gangs is very high, and also because there is no honor among thieves and data restoration is far from a certainty even when ransom is paid.
Leave a comment