DECAF Ransomware
The DECAF Ransomware showcases the growing trend among cybercriminals to move away from the typical programming languages in favor of less popular or exotic choices. The goal is to increase the chances of their threatening creations to avoid being detected by anti-malware and cybersecurity solutions. One of the emerging choices in the threat landscape, and the one used in the creation of DECAF is Go, an open-source, object-oriented, and cross-platform language. Other ransomware threats that were also written using Go are Babuk, HelloKitty and Hive.
Harmful Functionality
When deployed on the compromised systems, the DECAF Ransomware will initiate its encryption process that will lock the victim's data. The threat relies on a file filtering mechanism to avoid causing irreparable damage to the operating system or double-encrypting any files accidentally. As such, it scans and then ignores all files carrying a '.decaf' extension, named README.txt, or matching an embedded list of files, folders, and extensions chosen by the attackers.
After the encrypted copy of each targeted file has been created, the original has to be wiped from the system. To ensure that the victims will not be able to restore the originals, DECAF uses cipher.exe, which is called for each directory and tasked with overwriting the deleted data there. The ransom note of the threat is dropped as a README.txt file and a copy will be placed inside each folder containing the encrypted files.
Under Active Development
According to infosec experts, the DECAF Ransomware is still being developed rapidly with the cybercriminals adding more features and anti-detection techniques. The modifications can be clearly seen by comparing the initial debug version that was caught by DECAF's pre-release version. The attackers made boosted the complexity of the threat by adding string obfuscation. The hidden strings are de-obfuscated via different custom functions on runtime. Several new DECAF versions have already been observed circulating in the wild. To protect their critical infrastructure, companies need to adjust their cybersecurity policies to account for the shifting attack patterns of the threat actors.
