New File-Locking Malware With No Known Decryptor FoundDSCI: Ransomware Alkhal Likely Spread Via Phishing, Malicious URLs
Nonprofit data protection industry body Data Security Council of India - or DSCI - has issued an advisory on a file-encrypting virus that is likely spread via spam emails, phishing and malicious URLs.
The ransomware, dubbed Alkhal, was likely discovered on Oct. 1 by security firms Malwarebytes and Cyclonis, which published analysis and mitigation advice on their respective websites.
Alkhal, according to the DSCI advisory, locks files in the affected systems and creates two ransom notes - ReadMe.txt and ReadMe.bmp - that, according to the advisory, are "identical in nature." The infection, it says, occurs through peer-to-peer networks and third-party downloaders.
The organization did not share details on the origin of the ransomware, the threat actor(s) behind it or likely targets. It did not respond to Information Security Media Group's request for additional information.
Cybersecurity experts from Cyclonis say that the file-encrypting Trojan adds a suffix '.alkhak' to all locked files and sets up a file 'Recovery.bmp' that shows up as a wallpaper on the victim's desktop, with instructions to pay the ransom.
Researchers at cybersecurity firm EnigmaSoft say that Alkhal uses a strong encryption algorithm to lock the files stored on the compromised system. Unlike most ransomware, Alkhal does not modify the names of encrypted files, they add.
According to Malwarebytes' security guide, the Alkhal operators, who accept ransom payments in bitcoin, determine the amount based on the version of the ransomware deployed.
EnigmaSoft, sharing what it says is a ransom note from Alkhal, shows that the ransom amount also depends on how quickly the victims contact the threat actors. "Every day's delay will cost you extra BTC," the ransom note says.
There are also no tools to restore files encrypted by the "server-side" ransomware, which means that the decryption key can only be obtained from the ransomware operators, according to Malwarebytes. Any attempt to decrypt files encrypted by Alkhal ransomware could permanently delete them, it adds.
The ransom note on EnigmaSoft's post also shows that Alkhal operators instruct their victims to email them two non-archived, encrypted files as attachments, not exceeding 5MB each. The attackers claim that they will send to the victims decrypted samples of the data and instructions on how to obtain the decoder.
The victims, the ransom note says, will also receive information on the vulnerability exploited to access the company's data and instructions on how to patch it. The attackers also claim to recommend "special software that makes the most problems to hackers".
If the victim does not respond to the demands within two weeks, the ransomware group threatens to permanently delete the decryption key.
Prevention and Mitigation
DSCI recommends standard cyber hygiene practices - such as using official websites and direct download links, having regular backups and storing them offline, not opening suspicious emails with attachments, and using an antivirus on all devices - to prevent Alkhal attacks.
Cyclonis researchers advise against negotiating with Alkhal ransomware operators as it cannot be relied on to keep its word. Instead, the researchers recommend using anti-malware applications to eliminate the ransomware and third-party recovery utilities to restore the data.