View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 24, 2022

Hacking gang Monster uses a graphical interface to deploy its ransomware

Cybercriminals are finding new ways to launch malware across multiple platforms and operating systems.

By Matthew Gooding

A ransomware gang has built a graphical user interface to deploy its ransomware, researchers have discovered. The group, Monster, is thought to be the first to develop a ransomware GUI and is part of a growing trend among hackers to develop malware that can be deployed across multiple operating systems, making it more dangerous for businesses.

Monster ransomware
Monster could be the first ransomware variant with a graphical user interface (pic: scyther5/iStock)

Monster and another group, RedAlert, have been observed by analysts at Kaspersky targeting businesses around the world since the start of 2022. A new report details how the groups have managed to perform attacks on different operating systems without resorting to multiplatform languages.

The groups have “learned to adapt their malware to different operating systems at the same time – and therefore cause damage to more organisations,” the Kaspersky report says.

The rise of multiplatform ransomware

It has become increasingly common for ransomware criminals to use multiplatform languages such as Rust or Golang to write their malware, meaning it can be deployed more widely. BlackCat and Hive are two gangs that have deployed such tactics.

What sets Kaspersky’s most recent discoveries apart is that the hackers involved are able to use malware not written in cross-platform languages to target different operating systems simultaneously.

“We’ve got quite used to the ransomware groups deploying malware written in cross-platform language,” explained Jornt van der Wiel, a senior security researcher at Kaspersky’s global research and analysis team.

“However, these days cybercriminals learned to adjust their malicious code written in plain programming languages for joint attacks – making security specialists elaborate on ways to detect and prevent the ransomware attempts.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

How Monster and RedAlert deploy their ransomware

Kaspersky’s team says RedAlert employs malware written in plain C programming language – as it was detected in Linux sample. However, the malware also explicitly supports VMware’s ESXi hypervisor environments. The researchers also note RedAlert only accepts payments in Monero cryptocurrency – making the money harder to trace. “Although such an approach might be reasonable from criminals’ point of view, Monero is not accepted in every country and by every exchange, so victims might face a problem with paying off the ransom,” it says.

Monster, meanwhile, has written its malware in the general-purpose programming language Delphi. It comes with a GUI, which is “especially peculiar, as we do not remember seeing this before”, the authors write. “There are good reasons for this, because, why would one go through the effort of implementing this when most ransomware attacks are executed using the command line in an automated way during a targeted attack?

“The ransomware authors must have realised this as well, since they included the GUI as an optional command-line parameter.”

Read more: Ransomware groups are getting smaller and smarter

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.