Strange AnteFrigus Ransomware Only Targets Specific Drives

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
A new and strange ransomware called AnteFrigus is now being distributed through malvertising that redirects users to the the RIG exploit kit. Unlike other ransomware, AnteFrigus does not target the C: drive, but only other drives commonly associated with removable devices and mapped network drives.
The RIG exploit kit uses malicious scripts hosted on attacker-owned or compromised sites that exploit vulnerabilities in Internet Explorer. If these vulnerabilities can be exploited, it will then install a payload in the visitor's machine without their knowledge.
In a new Hookads malvertising campaign discovered by exploit kit expert Mol69, the RIG exploit is now installing the AnteFrigus Ransomware on unsuspecting users.
When numerous researchers, including BleepingComputer, attempted to install AnteFrigus we found that the ransomware not encrypting anything other than USB drives or mapped network drives.
Due to its strange behavior, BleepingComputer contacted security researcher and reverse engineer Vitali Kremez and asked him to take a look.
It turns out, that this ransomware only targets the D:, E:, F:, G:, H:, and I: drives. It does not encrypt any files located on the C: drive or unmapped network shares.
 

[correlate]

Level 18
Top Poster
Well-known
May 4, 2019
801
Security researchers have come across and analyzed an oddly behaving ransomware variant that bypasses the victim’s C drive instead targeting the device’s other drives.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top