Ransomware or Cryptomining Malware? Rakhni is Both!

Which is worse: Getting hit with cryptomining malware or falling prey to ransomware?

With the new version of a relatively older trojan named Rakhni, you don’t have to wonder — because it delivers both. The exploit, which was first discovered in 2013, has gotten a fair number of technical enhancements over its long journey. It started out as a early entry in the world of money-sucking ransomware variants and while Rakhni has been laying pretty low for the last five years, now it’s back.

Back and Better Than Ever?

A new version of the variant has been spotted not only dishing out file encrypting ransomware, it also has a coin mining aspect as well. The interesting thing about Rakhni is that it’s set up to deliver ransomware to some of its victims and the other, just as unlucky portion will be blessed with cryptomining malware. It’s almost as if the creators couldn’t decide what if they wanted to be in the malicious cryptomining business or in the ransomware-o-sphere, so they decided to pursue both options.

A typical infection scenario goes like this:

You get a phishing email that contains a malicious word DOCX file attachment, supposedly containing important financial information. If you open the attachment (which by now, we really really hope you won’t), it will try to run an EXE file and will ask you to enable macros. If for some reason you do allow the macros to be enabled (again, something you should never do), the malicious code will scan your computer and one of two things will happen; if it sees a file called “Bitcoin”, which would imply that you have a Bitcoin wallet already and understand how to obtain cryptocurrency, it will begin to run as a ransomware. When this happens, a ransom note pops up, informing you that if you try to use a decryptor, your files will be corrupted.

(In a positive twist of fate, there actually are decryptors than are able to undo the encryption. Clearly Rakhni’s developers don’t want you to know that part, again illustrating that perhaps these guys aren’t the sharpest malware creators in the box, if you know what we mean.)

If it doesn’t see any file with that name, it will begin to run the cryptomining module. It typically mines Monero, Monero Original and Dashcoin, all of which are less resource heavy in terms of mining than Bitcoins and are far more privacy-minded than Bitcoin in terms of traceability.

Rakhni and its Odd Ways

It’s anybody’s guess as to why the developers would choose to infect those more knowledgeable about cryptocurrencies with ransomware, while infecting everyone else with mining malware. The prevelent theory is that someone with a Bitcoin wallet will have an easier time getting the Dash/Monero/Monero Original needed to pay the unlock fee than would someone with less cryptocurrency acumen. To us, that seems a bit far fetched, as cryptocurrency users tend to be more internet-savvy than the general population. Part and parcel of this savviness is having better than average security habits, like having multiple back ups, which makes them less likely to pay up. 

Moreover, as we have mentioned elsewhere, malicious cryptomining is dethroning ransomware as the king of the malware baddies. It takes the same amount of effort to execute a both cryptomining exploits and ransomware exploits and both can rake in lots of money. The distinct advantage of cryptomining is that it’s so subtle that owners of infected devices rarely know they have been compromised. In this light, it’s easy to see why most malicious-minded devs out there today are putting their efforts into cryptomining over ransomware ploys. Again, in another demonstration of their apparent lack of forethought, Rakhni’s developers leave us scratching our heads and asking why.

For now, Rakhni is affecting users in Russia, Kazakhstan, India and the Ukraine so chances are you’re not going to get it. But it may spread and regardless, it’s wise to be familiar with trending malware tactics so you can stay one step ahead.

Further, Rakhni’s split personality disorder may just be a sign of things to come — malware creators are always trying to “up the bar”, finding new ways to burrow their way onto our devices. In the future, all malware may come with dual infection modalities, increasing the chances of successful infiltration. The good thing is that next-gen malware solutions are already defending their users on many levels at once and can easily handle anything that exploits like Rakhni can dish out. So while you needn’t worry about getting hit with this particular exploit, hopefully you can take a lesson about what makes for effective planning — whatever these guys do, do the opposite.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.