November 29, 2023 at 01:06AM
A new ransomware called Xaro, derived from the DJVU/STOP strain, has been spreading through disguised cracked software. It encrypts files and steals information, demanding $980 in ransom. The malware also installs additional payloads like stealer and loader programs, aiming for double extortion and increased attack success rates. Cybersecurity experts warn against downloading freeware from unreliable sources due to these risks.
Meeting Takeaways:
1. Ransomware Threat Identified: A new variant of the DJVU ransomware strain, named Xaro, has been found being distributed through cracked software.
2. Attack Pattern and Behavior: The DJVU variant adds a .xaro extension to encrypted files and demands a ransom for a decryption tool. The Xaro attacks include additional payloads of malware, particularly information stealers.
3. Distribution Method: Xaro is spread via a fake archive file from a questionable source, often presented as legitimate freeware. The example provided is a malicious installer for CutePDF that is actually PrivateLoader malware.
4. Additional Malware Risks: PrivateLoader reaches out to a command-and-control server to download a variety of malware, including RedLine Stealer, Vidar, and others, which are part of the attack strategy seen in these infections.
5. Double Extortion Technique: The attackers aim to gather sensitive data for double extortion purposes, meaning they both encrypt the victim’s files and steal data to coerce payment.
6. Ransom Details: The ransom note specifies $980 for the decryptor and private key, with a 50% discount ($490) if contacted within 72 hours of the attack.
7. Security Advisory: The incidents emphasize the dangers of downloading freeware from unofficial or suspicious sources and prompt a need for increased awareness and defense strategies in enterprise networks against such attacks.
8. Recommendations: Enterprises are advised to understand the speed and reach of such malware infections to better protect themselves and their data from the risks associated with downloading untrusted software.
Remember to follow the news outlet on Twitter and LinkedIn for ongoing updates on cybersecurity developments.