Attacks involving the use of cracked software have been distributing a novel version of the DJVU ransomware dubbed "Xaro" for its use of the .xaro extension for encrypted files, reports The Hacker News.
While DJVU ransomware, which descended from STOP ransomware, has been deployed through purportedly legitimate apps and SmokeLoader, attackers behind Xaro have leveraged PrivateLoader masquerading as the free PDF writing software CutePDF to spread the new DJVU variant in a bid to facilitate data exfiltration, according to a Cybereason report.
Aside from delivering the Vidar information-stealing malware, Xaro was also discovered to enable the encryption of files and deployment of a ransom note, which detailed a $980 demand that is discounted by 50% by the next 72 hours.
"Threat actors are known to favor freeware masquerading as a way to covertly deploy malicious code. The speed and breadth of impact on infected machines should be carefully understood by enterprise networks looking to defend themselves and their data," said Cybereason researcher Ralph Villanueva.
Ransomware
Novel DJVU ransomware variant emerges
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds