Rakhni Virus Updated to Deploy Cryptocurrency Mining Software and Ransomware on Victims’ Computers
Identified as a top cyber-threat in 2013, the nefarious Rakhni ransomware will not be left behind and is now infiltrating computers with fraudulent cryptojacking software.
Updated Rakhni Targets Cryptocurrency
On July 6, 2018, cybersecurity website Bleeping Computer reported unauthorized activities conducted by the Rakhni ransomware on PCs identified to be those of cryptocurrency users. The revelation comes after Kaspersky Lab raised alerts about an updated Rakhni virus that scans a victim’s computer before infiltrating the system. In what seems like “smart-virus” behavior, Rakhni deploys either a coinminer patch or ransomware on computers after running a selection process.
Rakhni searches computers for folders named “Bitcoin” and deploys ransomware on such systems. While the exact reasons for this specific search strategy are unclear, it can be speculated that Bitcoin users place all Bitcoin-related data in a readily accessible folder, of which Rakhni seeks to take advantage. Affected users are prevented from accessing their funds, and encryption disallows any fund transfer unless a specified ransom is paid.
However, if no Bitcoin folder is found, Rakhni deploys cryptocurrency mining software on the victim’s computer. The installation is subject to the system’s ability to handle the intense energy and computing demands of mining.
Beware of Spam Emails
The updated Rakhni version is distributed via spam emails, according to Kaspersky Lab. Kaspsersky has reported instances of Rakhni infections in Russia, Kazakhstan, Ukraine, Germany, and India. It is suspected that the system is using geo-targeting tools for email delivery.
Unsuspecting-looking spam emails contain “Word Docx” attachments. If the user opens the file, the system runs an EXE file containing Rakhni. However, Kaspersky believes users should be safe as long as “they do not enable macros (Enable Editing button) in the first DOCX file.”
First Cryptojacking Arrest Made
Cryptojacking is not a new threat, though prosecution for the crime is a new development. A man deploying the infamous Coinhive software, a cryptocurrency miner that has gained notoriety in recent times, was arrested in Japan on July 5, 2018, after authorities identified his IP address in connection with several cryptojacking instances.
As reported by local news outlet, Kahoku, Masato Yasuda created a “cheat-code” for gamers to utilize. However, he embedded a Javascript code containing Coinhive to mine the privacy-focused Monero using the victims’ computing resources. Police authorities did not reveal insightful details about the crime, such as nature of operation or delivery methods, but stated he earned a paltry amount of 5,000 Yen ($45) for his efforts.
Legal courts in the city of Amagasaki, located 500 kilometers from Tokyo, sentenced Yasuda to one year in prison after his guilt was proven, but later suspended the dictum by three years, considering the small scale of damage. This means Yasuda walks free for now, but if caught in illegal mining activities until 2021, he goes to prison without a trial.