VenusLocker Ransomware Operators Switch to Cryptocurrency Mining

Cybercriminals are a resourceful bunch. When they see that some of their tactics are not working as expected, they waste no time switching to other, more effective means of illegally gaining money. Take the VenusLocker gang for example.

VenusLocker is a ransomware family that appeared in the summer of 2016. It never really managed to become the most prolific threat of its type, and there's not much statistics on how many users it affected. The fact that its operators ran it for a year and a half, however, does show that they most likely profited quite well from it. The thing is, times have changed a bit.

In the wake of the WannaCry, (Not)Petya, and Bad Rabbit disasters, quite a few people realized what sort of dangers ransomware poses. Both organizations and individual users are investing in backup solutions which means that they can recover from a ransomware attack without filling the crooks' Bitcoin wallets.

Speaking of Bitcoin, you might have heard already that the value of virtually all cryptocurrencies has been going through the roof lately. And this presents a myriad of profit opportunities for cybercriminals. Banking trojans and Remote Access Trojans (RATs), for example, now target cryptocurrency wallets as well as banking applications. Scripts that use the visitors' hardware to mine digital money are injected into unsecured websites, and there are, of course, dedicated miners that are distributed to victims using various methods. Which brings us back to the VenusLocker gang.

According to a blog post from Fortinet, they have now decided that, as profitable as the ransomware operation is, they can gain even more money by spreading Monero miners.

Monero (XMR) is a cryptocurrency that was introduced in 2014. 1 XMR is currently worth about $470, quite a bit less than 1 Bitcoin. The crooks' decision to go for Monero isn't a mistake, though. As Fortinet's experts explain, mining Bitcoins on regular computers isn't really feasible nowadays. In addition to this, the newer cryptocurrency provides greater anonymity when it comes to transferring illegal gains around.

The switch from ransomware to mining is certainly an interesting move on the VenusLocker operators' part. And they're not just testing the waters, either. In fact, the social engineering in the spear phishing emails Fortinet examined shows that the attacks are aimed at specific organizations and are carefully premeditated.

Employees of an online garment seller in South Korea, for example, received an email saying that their website had been hacked. Another Korean company got a message implying that it had used images without the needed permissions. As always, the crooks tried to fool the victims into thinking that more details are available in the attached files.

The attachments come in the form of EGG files. EGG is an archive format, and it brings two main advantages for the VenusLocker gang. It's an unusual way of distributing malware, and scanners might fail to take a closer look at it. In addition to this, while it's not widely used in Europe and America, the format was developed by a South Korean company which means that the targeted victims are likely to be less suspicious of it.

The archive itself contains a hidden executable file (the actual miner) and several shortcuts pointing to it. The shortcuts look like images and/or documents, and since the body of the email instructs victims to open these types of files, they are likely to click on them and inadvertently launch the miner. This, Fortinet pointed out, is exactly the same technique the VenusLocker gang used when they were spreading their ransomware.

The miner itself is called XMRig, an open-source project specifically designed to mine Monero on Windows machines. The crooks apparently decided that there's no point in creating bespoke mining software when there are plenty of free and widely available solutions. Nevertheless, they did try to hide it by executing the binary as a remote thread under a legitimate Windows Update component.

The million-dollar question here is: "Will illegally mining cryptocurrency become more profitable than extorting money from people with ransomware?" There's no way of knowing how much the VenusLocker gang have earned during the campaign described by Fortinet, and it's fair to say that the trends will likely be dictated by the value of cryptocurrencies. Some people might think that if mining attacks surpass ransomware infections, this will be good news for the users as, on the face of it at least, cryptocurrency miners are a lot less destructive and easier to remedy. The truth is, however, the strain they put on the hardware is enormous, and they could still spell trouble.

One thing is about as certain as the sun rising: cybercrooks won't stop looking for newer ways of increasing their profitability. Greed really does know no bounds.