A new and strange ransomware called AnteFrigus is now being distributed through malvertising that redirects users to the the RIG exploit kit. Unlike other ransomware, AnteFrigus does not target the C: drive, but only other drives commonly associated with removable devices and mapped network drives.
The RIG exploit kit uses malicious scripts hosted on attacker-owned or compromised sites that exploit vulnerabilities in Internet Explorer. If these vulnerabilities can be exploited, it will then install a payload in the visitor's machine without their knowledge.
In a new Hookads malvertising campaign discovered by exploit kit expert Mol69, the RIG exploit is now installing the AnteFrigus Ransomware on unsuspecting users.
When numerous researchers, including BleepingComputer, attempted to install AnteFrigus we found that the ransomware not encrypting anything other than USB drives or mapped network drives.
Due to its strange behavior, BleepingComputer contacted security researcher and reverse engineer Vitali Kremez and asked him to take a look.
It turns out, that this ransomware only targets the D:, E:, F:, G:, H:, and I: drives. It does not encrypt any files located on the C: drive or unmapped network shares.