Rakhni, an old ransomware dating as far back as the year 2013, recently stepped up its game by adding a new devastating algorithm with its arsenal of attacks. It now decides whether to demand ransomware or secretly profit by installing a miner.
How It Works
The malware is shared via email attachment, often disguised as financial-related documents, leading us to believe that Rakhni primarily focuses on corporate targets.
This phony financial document is in PDF file, which the victim has to open first before the it asks permission to open an executable file from an unknown publisher. By clicking on yes, Rakhni finally can do whatever it wants with the victim.
First, the victim’s document viewer shows an error message stating that it can’t open the file. Next, Rakhni disables Window Defender and installs fake digital certificates. The installation of public key certificate ensures that there are lower chances a victim’s anti-malware software can detect the creeping threat.
Now that Rakhni secured a safe position inside the system, it now scans the victim’s PC and, either ransom important files or install a miner without the victim’s knowledge.
Inside Its Mind
The malware’s algorithm is simple: if it found out that its particular target is already engaged with cryptomining, Rakhni will then just encrypt all files (including important ones) and asks for a ransom money.
If however, the victim’s PC does not mine for cryptocurrency, Rakhni will instead download a miner for the PC that secretly generates Monero or Dashcoin Tokens. As long as the victim’s PC is powerful enough for mining, the attacker can profit without the victim knowing.
Given the strategy Rakhni employed to propagate itself, the best way to not get infected is being conservative to opening email attachments. Make sure only email senders from trusted sources are opened. And this applies as well to executing third-party apps from unknown sources.