An old ransomware, indeed one of the first in the market, is trying to attack new victims as technology improves. Named Rakhni, the ransomware will be adding a crypto mining component that is able to be deployed on some computers.
Security experts from Kaspersky Lab spotted a new Rakhni version that affected some computers. The new ransomware is able to scan a user’s computer before infecting it and deploy the ransomware.
The process is very simple, if Rakhni finds a folder with the Bitcoin name on it, then it runs the ransomware module. There are no clear reasons behind that, but it may be related to the fact that a user may be storing private information such as private keys or passwords in this folder.
If the malware has access to it, it may encrypt a user’s wallet private keys and prevent it from accessing his funds. At the same time, if the ransomware finds the folder, it may suspect that the user holds virtual currencies and it may be willing to pay a ransom if his files are encrypted.
But the ransomware has also a plan B in case it does not find any folder named Bitcoin. If the user has a powerful computer to handle coin mining operations, then it installs a cryptocurrency mining application from a remote server. Experts believe that the miner is able to mine virtual currencies such as Monero, Monero Original or Dashcoin.
At the moment, the Rakhni version has been distributed via spam emails in several countries including Russia, Kazakhstan, Ukraine, Germany and India. This suggests that some geo-targeting has been used.
The emails from Rakhni contain a Word DOCX document that once a user enters the file, a PDF document opens that turns tries to run an EXE file. Users should be safe every time they receive an email and be cautious with unknown senders. Those users interested in a breakdown of the z binary and its IOCs, a Kaspersky Lab technical analysis is available on the company’s Securelist blog.