View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 24, 2022

Hacking gang Monster uses a graphical interface to deploy its ransomware

Cybercriminals are finding new ways to launch malware across multiple platforms and operating systems.

By Matthew Gooding

A ransomware gang has built a graphical user interface to deploy its ransomware, researchers have discovered. The group, Monster, is thought to be the first to develop a ransomware GUI and is part of a growing trend among hackers to develop malware that can be deployed across multiple operating systems, making it more dangerous for businesses.

Monster ransomware
Monster could be the first ransomware variant with a graphical user interface (pic: scyther5/iStock)

Monster and another group, RedAlert, have been observed by analysts at Kaspersky targeting businesses around the world since the start of 2022. A new report details how the groups have managed to perform attacks on different operating systems without resorting to multiplatform languages.

The groups have “learned to adapt their malware to different operating systems at the same time – and therefore cause damage to more organisations,” the Kaspersky report says.

The rise of multiplatform ransomware

It has become increasingly common for ransomware criminals to use multiplatform languages such as Rust or Golang to write their malware, meaning it can be deployed more widely. BlackCat and Hive are two gangs that have deployed such tactics.

What sets Kaspersky’s most recent discoveries apart is that the hackers involved are able to use malware not written in cross-platform languages to target different operating systems simultaneously.

“We’ve got quite used to the ransomware groups deploying malware written in cross-platform language,” explained Jornt van der Wiel, a senior security researcher at Kaspersky’s global research and analysis team.

“However, these days cybercriminals learned to adjust their malicious code written in plain programming languages for joint attacks – making security specialists elaborate on ways to detect and prevent the ransomware attempts.”

How Monster and RedAlert deploy their ransomware

Kaspersky’s team says RedAlert employs malware written in plain C programming language – as it was detected in Linux sample. However, the malware also explicitly supports VMware’s ESXi hypervisor environments. The researchers also note RedAlert only accepts payments in Monero cryptocurrency – making the money harder to trace. “Although such an approach might be reasonable from criminals’ point of view, Monero is not accepted in every country and by every exchange, so victims might face a problem with paying off the ransom,” it says.

Content from our partners
The growing cybersecurity threats facing retailers
How to integrate security into IT operations
How Kodak evolved to tackle seismic changes in the print industry and embrace digital revolution

Monster, meanwhile, has written its malware in the general-purpose programming language Delphi. It comes with a GUI, which is “especially peculiar, as we do not remember seeing this before”, the authors write. “There are good reasons for this, because, why would one go through the effort of implementing this when most ransomware attacks are executed using the command line in an automated way during a targeted attack?

“The ransomware authors must have realised this as well, since they included the GUI as an optional command-line parameter.”

Read more: Ransomware groups are getting smaller and smarter

Topics in this article:
Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy