An old ransomware from 2013 is at the center of a new scam and it is targeting new victims.
Rakhni, one of the first ransomware strains, has now added a coinminer component, which helps it carefully select computers to attack. While it was believed to have been quashed, the strain was apparently keeping a low profile over the last few years.
According to security experts at Kaspersky Lab, the new Rakhni strain has received an update, allowing it to look into a person's computer before attacking it. It has two modes of attack-- by infecting a computer right after sneaking in or by running a coinminer module from a remote server.
When infecting a user's computer, Rakhni simply finds a folder named Bitcoin within the system and runs the malware from there.
Although the intention of the coders behind it remains a mystery at this point, experts believe it could be an attempt to encrypt a user's wallet private keys in order to block the user from their funds. Even worse, the experts also speculate that Rakhni just wanted to know whether or not the victim is capable of paying if his files are encrypted.
Once the coinminer finds no Bitcoin folder in a user's computer, it remotely installs a cryptocurrency mining application. Cryptocurrencies on the line include Monero, Monero original, and Dashcoin. Kaspersky Lab has noted that Rakhni has the ability to assess first if the computer is capable of running intense crypto-jacking operations.
How does this coinminer strain find its victims in the first place? According to Kaspersky Lab, this Rakhni strain is propagated via spam emails. They carry malicious file attachments in .docx documents. Once downloaded and opened, it will open a PDF document in turn to run a .exe file. Users are warned not to enable editing of the .docx documents from the spam folders because this will trigger the PDF to run.
The geo-targeting used in the operation shows that suspects could be in countries like Russia, Ukraine, Germany, Kazakhstan, or India.
In a recent study by computer security firm McAfee, coinminer malware samples grew to 2.9 million during the first quarter of 2018 from around 400,000 samples during the fourth quarter of 2017.