The Retadup worm is being shut down by computer specialists, this is the malware which is responsible for the large part of the STOP ransomware versions. The worm is primarily spread in Latin America and it has an extensive malware sequence that is run when the target hosts are compromised. Security experts are attempting to shut it down to the best of their ability thus limiting the spread of the STOP ransomware which is its main payload.
STOP Ransomware Is Being Stopped By Shutting Down The Retadup Worm
The Retadup worm is a very dangerous threat which is described in several reports as one of the main carriers of STOP ransomware samples. They are pervasive ransomware threats that are one of the most bothersome virus threats as many of the current ongoing attack campaigns carry it. A team of security experts have been able to devise a way of stopping the release of the threat which has rapidly decreased the number of infected computers with the STOP virus.
The Retadup worm is a very dangerous threat which is described in several reports as one of the main carriers of STOP ransomware samples. They are pervasive ransomware threats that are one of the most bothersome virus threats as many of the current ongoing attack campaigns carry it. A team of security experts have been able to devise a way of stopping the release of the threat which has rapidly decreased the number of infected computers with the STOP virus.
An in-depth investigation into the threat was made by a security team looking into the whereabouts of the main command and control (C&C) servers — once they are identified the experts can attempt to counter the infections. The infrastructure was found to be hosted in France which prompted the analysts to contact the French National Gendarmerie — they provided a an order giving the experts the green light to attempt and neutralize the servers to the best of their ability. As a result the virus activity has severely decreased thus stopping the release of many STOP ransomware samples. However this hasn’t stopped other hacking groups into releasing new variants of the virus.
Retadup Worm Activity: How Does It Deliver The STOP Ransomware Viruses
What’s particularly interesting about this malware it has been in development for several years before a criminal group has used it for the purpose of spreading the STOP ransomware samples. Over the years various modules and components have been added it and the main engine has been improved. At the time of writing this article the major version is made up of two files: the script language interpreter and the script itself. A built-in sequence will be launched which will execute various components, an example list of them is the following:
- Worm Installation Check — One of the first actions that are done by the infection engine is to check if there is an active running infection. This is done in order to check whether or not the host is a debug environment or virtual machine guest. It will stop if this checks positive.
- Persistent Installation — The Retadup worm will be installed in a way which will automatically start it as soon as the system boots up. It can disable access to the recovery boot options making it very hard for the users to recover their systems. It can also spread itself to other hosts such as removable storage devices and available network shares.
- Trojan Operations — The worm will establish a secure and persistent connection to the hacker-controlled server, if reachable. This will allow the criminals to take over control of the hosts and hijack any data that is found on them.
- Windows Registry Changes — The main engine has been confirmed to commit different kind of changes onto the infected hosts. The consequences will include problems with running certain applications and services, performance issues and data loss.
The commands which are most often used during the commanding of the virus samples are Update used to check if a newer release of the threat is available; Download which will deploy other malware onto the hosts; Sleep which will temporarily pause the execution of the malware< and Updateself which will reorganize its current form. Most of the viruses also use the sophisticated UAC security bypass which is noted for being a part of most of the advanced Trojans available for the Microsoft Windows system. The Retadup Worm is loaded into memory in an obfuscated and crypted form which means that it will be decrypted in real-time and when necessary. This means that in most cases discovery of the running engine will be made very difficult.
The analysis of the command and control servers shows that they are powered by a Node.js implementation and the data is stored in a MongoDB database. The detailed analysis shows that throughout the versions there are different types of organizational structure. The made analysis shows that the information gathered in the databases is used by the controllers to craft a user interface allowing them to control the infected hosts. Some of the collected samples have been shows to enable advanced operations, examples of such are the following:
- Botnet Recruitment — The hosts can be made part of an international network of infected computers. When this is made fact the compromised hosts can be used in a group to launch devastating distributed attacks against preset networks thus rendering them non-working.
- Cryptocurrency Miner Loading — One of the most common infections which are the result of virus infections is the deployment of cryptocurrency miners. There are small-sized scripts or applications that will download a sequence of performance-heavy mathematical tasks and particularly the CPU, memory, hard disk space and network connection. When an infection is reported as complete to the servers the hackers will be wired cryptocurrency award directly to their wallets.
The Current Situation With The Retadup Worm
A large number of the domains and servers associated with the worm have been shut down by the experts. However this has not been enough to stop the spread of the STOP ransomware strains. It appears that while this worm is one of the most efficient sources of the infection, it isn’t the one and only. It is true that after the shut down of many of the servers some of the strains have decreased in volume however STOP viruses continue to be developed. This gives us reasons to believe that one of these statements may possibly be true:
- The criminal collective behind these web servers are one of the main developers of the STOP ransomware strings. This means that it is possible that when all servers are stopped the number of ongoing infections will dramatically increase.
- The second alternative understanding of the situation is that the servers are rented or loaned by different hacking groups in order to spread their own versions of the STOP ransomware.
- Another proposition is that these servers are hacked specifically in order to deliver the worm and the associated STOP viruses.
Whatever the case the good news is that such operations are being stopped by security experts . However at-large STOP ransomware samples continue to be produced and we do not expect to see a slowing down in their further creation and distribution. The reasons for this conclusion is the fact that numerous strains of it are made every week which shows that they are a very profitable tool that is used by many hacker collectives around the world.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: