- Check Point has observed ransomware being re-used
- Yurei ransomware has targeted a Sri Lankan food manufacturing firm
- Open-source ransomware lowers the barrier for criminals
A new study by Check Point research has revealed that cybercriminals are sharing their tactics by using open-source ransomware models, which is ‘enabling even less-skilled threat actors to launch ransomware operations.’
By observing one particular cyberattack which targeted a Sri Lankan food manufacturing firm, the researchers were able to identify the new ransomware group, Yurei, only made very slight modifications to an existing tool in the Prince-Ransomware strain.
The attack is a ‘double ransomware’ model, in which the victim’s files are encrypted, sensitive data is exfiltrated, followed by the demand for a ransom to both decrypt the information, and also to refrain from posting the data on dark web sites or selling it to the highest bidder.
Yurei ransomware
The ransomware group, named Yurei after a Japanese ghost tale, has utilized an existing open-source ransomware project. Open-source projects enable lower-skilled threat actors to enter the ransomware space with ease.
But, by re-using Prince-Ransomware’s code base, Yurei inherited all of the same flaws, the research says, including the ‘the failure to remove Volume Shadow Copies’ and the ‘oversight enables partial recovery in environments where VSS is enabled.’
“While open-source malware is a threat, it also gives defenders opportunities to detect and mitigate these variations. However, Yurei succeeded in running their operation on several victims, which shows that even low-effort operations can still lead to success,” the study concludes.
The barriers are lowered both in terms of skill and effort, which is only compounded by the huge increase in the use of AI. Only 20% of ransomware is not powered by AI – and it’s used in CAPTCHA bypass, password cracking, code generation, and even to build sophisticated social engineering attacks.
