A new and strange ransomware called AnteFrigus is now being distributed through malvertising that redirects users to the the RIG exploit kit. Unlike other ransomware, AnteFrigus does not target the C: drive, but only other drives commonly associated with removable devices and mapped network drives.
The RIG exploit kit uses malicious scripts hosted on attacker-owned or compromised sites that exploit vulnerabilities in Internet Explorer. If these vulnerabilities can be exploited, it will then install a payload in the visitor’s machine without their knowledge.
In a new Hookads malvertising campaign discovered by exploit kit expert Mol69, the RIG exploit is now installing the AnteFrigus Ransomware on unsuspecting users.
Unusual behavior of the AnteFrigus Ransomware
When ransomware is executed on a computer, it will typically enumerate all of the drive letters on a computer and any accessible network shares. It will then attempt to encrypt files on these drives and shares if they have a certain file extension or if they are not part of a blacklist.
The AnteFrigus Ransomware, though, does things a bit differently.
When numerous researchers, including BleepingComputer, attempted to install AnteFrigus we found that the ransomware not encrypting anything other than USB drives or mapped network drives.
Due to its strange behavior, BleepingComputer contacted security researcher and reverse engineer Vitali Kremez and asked him to take a look.
It turns out, that this ransomware only targets the D:, E:, F:, G:, H:, and I: drives. It does not encrypt any files located on the C: drive or unmapped network shares.
Furthermore, it will not encrypt any files that contain the following strings.
dll, adv, ani, big, bat, bin, cab, cmd, com, cpl, cur, deskthemepack, diagcab, diagcfg, diagpkg, drv, exe, hlp, icl, icns, ico, ics, idx, ldf, lnk, mod, mpa, msc, msp, msstyles, msu, nls, nomedia, ocx, prf, rom, rtp, scr, shs, spl, sys, theme, themepack, wpx, lock, key, hta, msi, pck
Not encrypting the C: drive is odd as it is common for users to save documents on their local drives, especially if they are home users or have home offices.
It’s possible that the ransomware is only targeting these specific drive letters as they may correspond to network shares where users commonly save their data in a business environment.
Kremez, though, does not think its being done for some sort of thought-out targeting methodology.
Based on the ransomware’s code, Kremez told BleepingComputer that it is most likely a bug as the ransomware does not look particular sophisticated to him.
“This malware does not look super sophisticated and contained a plethora of debugging symbols, source references, and test/debug location,” Kremez told BleepingComputer.
For this reason, Kremez feels that AnteFrigus is still in development or testing mode.
To distribute an in-development ransomware, though, would be foolish as the ransomware dev has to pay for RIG exploit kit installs and sacrifices potential victims to test the ransomware.
The AnteFrigus encryption process
Regardless of its reasns, the AnteFrigus ransomware will encrypt all files on the D:, E:, F:, G:, H:, and I: drives that do not contain the extensions listed in the previous section.
When encrypting a file, it will append a random character extension to encrypted files as shown below.
The ransomware will also create the C:qweasdtest.txt file, which is most likely being used as a lock or debug file.
Finally the ransomware will create ransom notes named [extension]-readme.txt in the C:Instraction folder and on the desktop.
This ransom note will contain a link to the Tor payment site, currently located at http://yboa7nidpv5jdtumgfm4fmmvju3ccxlleut2xvzgn5uqlbjd5n7p3kid.onion/, which will list the current ransom amount and a bitcoin address to send the payment to.
In our test, the ransom is $1,995 USD and becomes $3,990 after a little over 4 days as shown below.
At this time, it is not known if the ransomware has any weakness that could lead to a free decryptor. Researchers will be analyzing the ransomware to determine that in the near future.