Purelocker Ransomware: Working and evasion

Purelocker Ransomware: Working and evasion

Purelocker Ransomware is the latest Ransomware in town and it seems to be designed to specifically target production servers at the enterprise level. The Purelocker Ransomware was detected last week by researchers at Intezer and IBM X-Force.

Upon analysis, they have identified that the Ransomware has been used by Cobalt Gang and FIN6 among other threat groups mainly targeting Windows and Linux based servers. The name Purelocker has been assigned to this Ransomware as it has been written completely using a programming language called Purebasic.

Purebasic is a pretty uncommon programming language but the choice of this particular language by the attackers has to do with the fact that the code written using Purebasic is compatible across multiple platforms like Windows, Linux, and macOS, making it easier for the attackers to target multiple operating systems at once.

Also, since the Purebasic programming language is not that common or popular, the Antivirus companies are finding it difficult to generate reliable and accurate detection engines and signatures to be able to detect the Purelocker Ransomware. This is also part of the reason why the Ransomware went undetected even after being active for several months.

Detection process:

According to the researchers, the initial process involved in analyzing a Windows Sample of the Purelocker Ransomware and they have identified it to be a 32-bit DLL file which was posing as a C++ based cryptography library called Crypto++. The researches become suspicious as some of the functions in the library were related to music playback and controls.


Evasion Techniques:

As mentioned earlier, the Purelocker Ransomware managed to stay undetected by popular Anti Virus engines for the first few weeks after its attack. The attackers managed to stay under the radar by using the Purebasic programming language to write the ransomware instead of using some popular programming language which is widely popular and has several detection signatures already available.

Also, the attackers behind the Purelocker Ransomware has programmed it so that it will only begin its execution in its target attack system after ensuring that it is not being analyzed or used for debugging by anyone. If that is not the case, the Ransomware would automatically exit itself from the target system, without even deleting itself.

The Ransomware also executes from the regsrv32.exe, so it verifies that it is indeed executed by the process, and also that the current year on the target system is 2019 and that it has administrator rights on the system. If any of these checks fail, the ransomware would immediately exit the system as mentioned above, so as to not leave any traces of its functionality or working.

Working of Purelocker Ransomware:

Once the Ransomware performs all the verification checks on the target systems and if it gets the desired results, it will start working by first encrypting all the files on the target system with the AES+RSA combination using a hardcoded RSA Key.

The Ransomware mainly executes the data files on the system with .CR1 extension and it mostly ignores the executable files in the target system. It then proceeds to delete all the originals of the files it has encrypted to prevent the user from performing file recovery. Finally, it leaves a ransom note as a text file in the user’s desktop with the name, YOUR_FILES.txt.


While, a traditional Ransomware includes the information about how much Ransom the attackers want the victims to send to them and the means to send that, which is typically a bitcoin-based transaction, the attackers behind the Purelocker Ransomware has instructed the victims to contact them via email instead.

They also seem to use an anonymous and encrypted email service provider for this purpose with different email addresses for each of the victims. Once the attackers communicate with the victims and get their desired ransom amount, they then send the decryption keys to the victims using the same email addresses they have provided for contacting them.

Unconventional ways of Purelocker Ransomware:

Right from using an unconventional programming language like Purebasic to code the Ransomware, its evasion technique, and even the way the Ransomware functions and collects the Ransom from the victims, it is clearly evident that this is different in a lot of ways from the Ransomware that usually are talked about in the news.

This clearly shows that the attackers behind this Ransomware are rapidly improving and innovating the ways they use to perform targeted attacks. Therefore, it is important, now more than ever, for us to focus more on the security of our systems and try to be as safe as possible with our data and devices.

4 reasons to use KeePass instead of Lastpass

4 reasons to use KeePass instead of Lastpass

Passwords, as we all know are some of the extremely important data that we possess. With the increasing number of online services and the variety of options available for a single service, most people tend to use the same password for multiple services across several platforms.

While this behavior is certainly convenient, it is definitely not the most secure approach, especially considering the frequency of data breaches that are happening these days. So, if you are going to use the same password everywhere, one single breach where your password is leaked might be enough to compromise all your accounts.

This is where password managers come in. They are essentially a useful piece of software which could generate and store passwords for multiple services that you might use. So, by using a password manager, you not only need to remember all your passwords, but you can also get automatically generated complex passwords that are difficult to guess and since they are all stored in an encrypted vault, easy to compromise as well.

So, in today’s post of what I hope to be a weekly series of posts of This Instead Of That (TIOT), I am going to list out 5 reasons, why you should use the password manager called KeePass, instead of the highly popular and widely known LastPass password manager with millions of downloads.

The TIOT series will essentially be a weekly series with posts arguing why you should use a particular app or a service instead of a popular one and me listing out a few reasons to convince you into using the less popular but a better alternative.

Reason #1

KeePass is Open source

Open-source software, are in general are more transparent than a company-owned software. This is particularly considered more advantageous when it comes to this topic as password managers handle a lot of your sensitive data and it is a little reassuring to know how the app actually works and how the software handles and protects your passwords.


KeePass is also maintained by an active list of community members, this means that the app would be frequently and quickly updated with new features or patches compared to LastPass. Also, since KeePass is open source, anyone can perform a security audit on their code and make sure that the app is running according to the recommended security standards.

You can have a look at the audit information over here.

Reason #2

KeePass is less popular

While people, in general, prefer using popular products and services as opposed to the less known ones, in this case, it actually makes sense to use KeePass, a less popular alternative to LastPass. This is mainly because of the reason that a less popular software means that the probability of it getting attacked is also considerably lesser than LastPass. As LastPass as millions of downloads, a lot of attackers have made attempts at compromising the software and hijacking the millions of passwords stored in it.


However, since KeePass is relatively less popular, the chances of it becoming a target for mainstream attackers are less, as hackers generally target applications or services with a larger user base which in turn would have a huge impact and a greater success rate. While this does not mean that the KeePass application would never be the target of attackers, it is comparatively less of a target than LastPass or any other popular password managers out there.

Reason #3

KeePass does not have any commercial targeting

LastPass’s main aim, besides being a secure application to manage your passwords, is also frankly to be the number one application to do so. With that targeting and aim in mind, they need to work towards making their application available to all kinds of users and platforms. This might sometimes mean that they need to add some attractive features which are otherwise unnecessary or provide support for even older more vulnerable versions of operating systems or browsers just to make sure that their application is available to the maximum number of audience.

On the contrary, KeePass, being an open-source application does not necessarily work towards making it available to wider audience and it rather concentrates on making sure that it is as secure and functional as possible. While this might mean that the application might be unusable or unstable in older versions of browsers of operating systems, it also means that it is more secure and is prone to fewer threats compared to LastPass.

Reason #4

KeePass does not store your passwords on the cloud

Granted, not having your passwords stored in the cloud for easier access across multiple devices and quicker synchronization is less convenient, it is also more secure, especially considering the increasing amounts of security breaches we are witnessing every passing day.


However, you can still use Google Drive or any other cloud provider of your choice to store the encrypted database of your passwords exported from KeePass. By this, your password is not only hosted on some unknown place, but it is also stored safely in your account and you can still access the encrypted file of your passwords across multiple devices by signing into your Google Drive or any other cloud service account you use.

That’s probably all of the reasons I have got to motivate you into using KeePass instead of the popular LastPass. Let me know in the comments section if you think there are any other reasons to do so.