Which is worse: getting hit with crypto mining malware or falling prey to ransomware? with the new version of a relatively older trojan named Rakhni, you don’t have to wonder — because it delivers both. The exploit, which was first discovered in 2013, has gotten a fair number of technical enhancements over its long journey. It started out as an early entry in the world of money-sucking ransomware variants and while Rakhni has been laying pretty low for the last five years, now it’s back.
Back and better than ever?
A new version of the variant has been spotted not only dishing out file-encrypting ransomware, but it also has a coin mining aspect as well. The interesting thing about Rakhni is that it’s set up to deliver ransomware to some of its victims and the other, just as an unlucky portion will be blessed with crypto-mining malware. It’s almost as if the creators couldn’t decide what if they wanted to be in the malicious crypto mining business or in the ransomware-o-sphere, so they decided to pursue both options.
A typical infection scenario goes like this:
You get a phishing email that contains a malicious word DOCX file attachment, supposedly containing important financial information. If you open the attachment (which by now, we really really hope you won’t), it will try to run an EXE file and will ask you to enable macros. If for some reason you do allow the macros to be enabled (again, something you should never do), the malicious code will scan your computer and one of two things will happen; if it sees a file called “Bitcoin”, which would imply that you have a Bitcoin wallet already and understand how to obtain cryptocurrency, it will begin to run as a ransomware. When this happens, a ransom note pops up, informing you that if you try to use a decryptor, your files will be corrupted.
(In a positive twist of fate, there actually are decryptors than are able to undo the encryption. Clearly, Rakhni’s developers don’t want you to know that part, again illustrating that perhaps these guys aren’t the sharpest malware creators in the box, if you know what we mean.)
If it doesn’t see any file with that name, it will begin to run the crypto mining module. It typically mines Monero, Monero Original, and Dashcoin, all of which are less resource heavy in terms of mining than Bitcoins and are far more privacy-minded than Bitcoin in terms of traceability.
Rakhni and it’s odd ways It’s anybody’s guess as to why the developers would choose to infect those more knowledgeable about cryptocurrencies with ransomware while infecting everyone else with mining malware. The prevelent theory is that someone with a Bitcoin wallet will have an easier time getting the Dash/Monero/Monero Original needed to pay the unlock fee than would someone with less cryptocurrency acumen. To us, that seems a bit far fetched, as cryptocurrency users tend to be more internet-savvy than the general population. Part and parcel of this savviness are having better than average security habits, like having multiple backups, which makes them less likely to pay up.
Moreover, as we have mentioned elsewhere, malicious crypto-mining is dethroning ransomware as the king of the malware baddies. It takes the same amount of effort to execute both crypto mining exploits and ransomware exploits and both can rake in lots of money. The distinct advantage of crypto mining is that it’s so subtle that owners of infected devices rarely know they have been compromised. In this light, it’s easy to see why most malicious-minded devs out there today are putting their efforts into crypto mining over ransomware ploys. Again, in another demonstration of their apparent lack of forethought, Rakhni’s developers leave us scratching our heads and asking why.
For now, Rakhni is affecting users in Russia, Kazakhstan, India, and Ukraine so chances are you’re not going to get it. But it may spread and regardless, it’s wise to be familiar with trending malware tactics so you can stay one step ahead.
Further, Rakhni’s split personality disorder may just be a sign of things to come — malware creators are always trying to “up the bar”, finding new ways to burrow their way onto our devices. In the future, all malware may come with dual infection modalities, increasing the chances of successful infiltration. The good thing is that next-gen malware solutions are already defending their users on many levels at once and can easily handle anything that exploits like Rakhni can dish out. So while you needn’t worry about getting hit with this particular exploit, hopefully, you can take a lesson about what makes for effective planning — whatever these guys do, do the opposite.