Ransomware skyrocketed from obscurity to infamy in no time flat. Headline-grabbing campaigns like WannaCry, Petya and NotPetya preceded a substantial increase in the number of small attacks using similar techniques to extort unwary internet users. Now, researchers at Palo Alto Networks have revealed new malware that carries on NotPetya's legacy while combining various types of threats into a single package.
The researchers, dubbed Unit 42, named this new malware Xbash. It's said to combines a bot net, ransomware and cryptocurrency mining software in a single worm and targets servers running Linux or Windows. The researchers blame an entity called the Iron Group for Xbash's creation, which has been linked to other ransomware attacks. The malware is thought to have first seen use in May 2018.
A quick refresher on ransomware: it's a form of malware that encrypts the files on a victim's system and demands payment in exchange for their restoration. These fees are usually paid in Bitcoin, which is harder to track than a traditional currency, and the idea is that sending the payment will prompt the attackers to share the password used to encrypt the victim's files. If that happens, access to those files should be restored.
The problem is that it doesn't always happen. Unit 42 said that Xbash, much like NotPetya, doesn't actually have any features devoted to data restoration. It still asks for a ransom--and 48 victims have paid roughly $6,000 in Bitcoin to the attackers so far--but those files will remain encrypted even if it's paid. Xbash's ransom could be little more than a red herring meant to disguise the true goal of destroying its victims' data.
Unit 42 said Xbash functions differently based on what operating system it encounters. Linux devices are subject to the ransomware aspect, and they're also used to create the malware's bot nets. Windows devices, on the other hand, are used for cryptocurrency mining and self-propagation. Targeting both allows Xbash's operators (likely the Iron Group) to create as much chaos as possible, no matter what server they have compromised.
Xbash also has a feature that allows it to examine and potentially compromise an organization's intranet. This feature isn't currently enabled, but Unit 42 warned that if it is activated, "this intranet functionality could make Xbash even more devastating" than it is now. Internal networks often feature less security than external ones; compromising those networks could allow Xbash to interfere with an organization's vital services.
Unit 42 has discovered four versions of Xbash so far, and the researchers said that "code and timestamp differences among these versions show that it’s still under active development." That development could be used to introduce new functionality, enable the intranet-targeting feature already present in the malware, or help Xbash better evade detection. Active development means the malware's threat is constantly evolving.
The best way to mitigate the damage caused by things like Xbash is to regularly back up important files, take all the usual security precautions and make sure nobody pays the ransom. Despite its name, ransomware is fast becoming something more akin to 'extortionware,' so it's better not to hand over the Bitcoin than to feed into this scheme.
