What Is It?

PureLocker, a new multiplatform ransomware recently named by researchers from Intezer and IBM X-Force, is being used in targeted attacks against production servers of enterprise-level organizations. While the research was performed on Windows variants, they also observed a Linux variant being used by the attackers, providing them with more options for compromising the infrastructure of their targets.

The name PureLocker derives from the fact it is written in the programming language PureBasic. The use of the somewhat obscure PureBasic language is advantageous to the attackers in two important ways. Firstly, PureBasic is relatively easily ported between Windows, Linux and macOS, increasing the potential attack surface with limited effort. Secondly, Intezer found signature-based antivirus had difficulty detecting PureBasic executables. In fact, over a three-week period from mid to late October 2019, samples submitted to VirusTotal varied between one and zero detections out of the 66+ products the samples were tested against. They also found samples showed no malicious behavior when tested against several sandboxes.

To avoid detection, PureLocker utilizes multiple techniques. Text strings within a sample are often utilized for signature-based detection, as such obfuscation of strings is quite common. In the case of PureLocker, strings are stored as hex strings and decoded as required. Upon execution, PureLocker checks to ensure that it is not being debugged or otherwise analyzed. While this is a common technique, PureLocker does something different as it will exit but not delete itself if it detects analysis attempts. By not deleting itself, it potentially appears less likely to be malicious behaviorally than a sample which exits and deletes itself. It also checks what process is executing it, its filename extension, the current year is 2019 and administrator level access.

If all checks pass and PureLocker executes its ransomware payload, it avoids executable files and encrypts a large range of data files, appending .CR1 to the end of the filename. Once encrypted, the original file is deleted securely. The displayed ransom note contains a unique Proton email address for communication with the attackers and does not contain a ransom amount, clearly this is negotiated with the attackers via email.

How Does It Propagate?

PureLocker does not contain the necessary code to self-propagate. The infection vector is not known, however for most ransomware it is social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

Despite the observed difficulties that legacy anti-virus and sandbox products have detecting PureLocker, two samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown the samples would have been detected a full 52 and 53 months respectively, prior to their release.