back to article Next gen ransomware: Elliptic cryptic, talks on Tor, demands Bitcoin

Cybercrooks have brewed a strain of ransomware that uses elliptic curve cryptography for file encryption, and Tor for communication. The malware, dubbed OphionLocker, is spreading using a malicious advertising (malvertising) campaign featuring the RIG exploit kit. The ransomware encrypts files of particular types on infected …

  1. Anonymous Blowhard

    Malicious Advertising?

    Is there another kind?

  2. Anonymous Coward
    Anonymous Coward

    Specific to VMs...

    Interesting...

    But is it that hard for researchers to just get some baremetal? Its not really going to stop researchers.

    Im sure the AV researchers have decent budgets for R&D.

    Not every bluechip is as pikey as Sage.

    1. Eugene Crosser

      Re: Specific to VMs...

      Running the program in a VM allows the researcher to observe "from the outside" (i.e. from the hypervisor) what the program is doing, down to one instruction at a time when necessary. On bare metal, the malware will just do its deed without giving the researcher any insight about how it works.

      1. Sir Runcible Spoon
        Joke

        Re: Specific to VMs...

        I see a market opportunity for a hardware virtual environment.

      2. JCB

        Re: Specific to VMs...

        "Running the program in a VM allows the researcher to observe "from the outside""

        What does exist in the way of hardware monitoring (for PCs I am assuming)? Back in the day when I did mainframe OS support for ICL VME/K, the development team had hardware monitors they could attach for particularly recalcitrant bugs. Although I will accept that hardware monitoring is likely a lot more expensive than VM monitoring.

        1. Eugene Crosser

          Re: Specific to VMs...

          What does exist in the way of hardware monitoring

          Most virtualized environments these days are hardware-assisted (on mainframe, for a long time; on x86 - for a few years now). Even so it is tricky to hide the fact that a program is running in a VM from that program. It is possible, but in most real-life scenarios it is better to let it know, so the fact is rarely being hidden well enough to fool sufficiently sophisticated malware.

    2. JCB

      Re: Specific to VMs...

      "Im sure the AV researchers have decent budgets for R&D."

      You don't need need high end kit to get pwned. Does the ransomware have a minimum hardware spec? There's lots of cheap ex-corporate kit around to build a honey pot. (It might even arrive already loaded with malware.)

  3. Alistair
    Terminator

    I note they don't tell us *how*.

    It would help to know what functionality it uses to determine its in a VM. (There are quite a few that I know of....) ... but that would tell the ransomware developers what to change......

    (Machine learning --- ain't it fun?)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like