A ransomware gang has built a graphical user interface to deploy its ransomware, researchers have discovered. The group, Monster, is thought to be the first to develop a ransomware GUI and is part of a growing trend among hackers to develop malware that can be deployed across multiple operating systems, making it more dangerous for businesses.
Monster and another group, RedAlert, have been observed by analysts at Kaspersky targeting businesses around the world since the start of 2022. A new report details how the groups have managed to perform attacks on different operating systems without resorting to multiplatform languages.
The groups have “learned to adapt their malware to different operating systems at the same time – and therefore cause damage to more organisations,” the Kaspersky report says.
The rise of multiplatform ransomware
It has become increasingly common for ransomware criminals to use multiplatform languages such as Rust or Golang to write their malware, meaning it can be deployed more widely. BlackCat and Hive are two gangs that have deployed such tactics.
What sets Kaspersky’s most recent discoveries apart is that the hackers involved are able to use malware not written in cross-platform languages to target different operating systems simultaneously.
“We’ve got quite used to the ransomware groups deploying malware written in cross-platform language,” explained Jornt van der Wiel, a senior security researcher at Kaspersky’s global research and analysis team.
“However, these days cybercriminals learned to adjust their malicious code written in plain programming languages for joint attacks – making security specialists elaborate on ways to detect and prevent the ransomware attempts.”
How Monster and RedAlert deploy their ransomware
Kaspersky’s team says RedAlert employs malware written in plain C programming language – as it was detected in Linux sample. However, the malware also explicitly supports VMware’s ESXi hypervisor environments. The researchers also note RedAlert only accepts payments in Monero cryptocurrency – making the money harder to trace. “Although such an approach might be reasonable from criminals’ point of view, Monero is not accepted in every country and by every exchange, so victims might face a problem with paying off the ransom,” it says.
Monster, meanwhile, has written its malware in the general-purpose programming language Delphi. It comes with a GUI, which is “especially peculiar, as we do not remember seeing this before”, the authors write. “There are good reasons for this, because, why would one go through the effort of implementing this when most ransomware attacks are executed using the command line in an automated way during a targeted attack?
“The ransomware authors must have realised this as well, since they included the GUI as an optional command-line parameter.”