Last week, Moscow-based cybersecurity firm Kaspersky Lab reported that a new variant of the Rakhni ransomware trojan had been identified in the wild. Unlike previous versions, which encrypted the user’s data until a ransom was paid to unlock it, the updated malware now has the capability to install cryptocurrency mining software on infected machines. According to Kaspersky Lab’s analysis, the malware is even capable of determining if the host machine isn’t powerful enough to run mining software, skipping that process entirely on computers with single-core CPUs.
Although less notorious than ransomware programs like CryptoLocker or WannaCry, the Rakhni family of trojans have been a thorn in the side of cybersecurity experts since their discovery in 2013. The program has been actively updated over the years, incorporating new algorithms and encryption libraries to keep one step ahead of anti-malware systems. By adding a crypto-mining element to their ransomware, the criminals behind this new Rakhni variant have found a new way to generate funds from hijacked computers.
Instead of immediately installing ransomware onto an infected machine, the updated version of Rakhni first scans the host computer for a folder labled “Bitcoin.” Depending on what it finds, Kaspersky Lab’s says it will take one of three actions: “If the folder exists, the downloader decides to download the [encryption malware]. If the folder doesn’t exist and the machine has more than two logical processors, the miner will be downloaded. If there’s no folder and just one logical processor, the downloader jumps to its worm component.”
Given that virtually all ransomware operators want to be paid in cryptocurrency, it’s not immediately clear why Rakhni would want to encrypt a computer with a bitcoin folder. If users can’t access their crypto, how will they pay the criminals? One possible reason could be that the criminals want to block access to the owner’s bitcoin wallet, holding those funds hostage until the ransom is paid.
If an infected machine doesn’t have a bitcoin folder, Rakhni downloads a series of cryptocurrency miners, starting with a Monero miner. If the host computer has a GPU powerful enough for mining, the malware will also add Monero Original and Dashcoin miners. The trojan even attempts to disguise these processes by naming them “svchost.exe” and signing them with a fake Microsoft Corporation certificate. In the event the machine isn’t powerful enough to effectively run a miner, Rakhni has one last trick, attempting to copy itself onto all the computers in the local network.
Fortunately, the updated version of Rakhni appears to have a limited ability to distribute itself. The malware is currently being distributed through spam emails, and requires users to download a Word DOCX file, enable editing on that file, and then open an executable disguised as a PDF. Should Rakhni’s developers find a more efficient method for spreading their malware, however, this new variant could become a far larger threat.
Given that Rakhni specifically targets the computers of cryptocurrency users for ransomware, one of the best methods for protecting your BTC, ETH and other tokens is to avoid storing them on a desktop wallet entirely. Instead, cryptocurrency and cybersecurity experts recommend storing your crypto on a tethered, air-gapped hardware wallet.