Departments‎ > ‎Tech Dept‎ > ‎Quick Tips Links‎ > ‎

Quick Tips and Security News 4-25-16

New Maktub Ransomware Strain - Beautiful And Dangerous

Maktub Locker is the name of a new Russian strain of ransomware. The word Maktub is Arabic for "fate", suggesting it is inevitable you will get infected with ransomware. They have spent a lot of time on the website and the code was put together by professionals with extensive experience in writing malicious code.  If these guys don't make it in the ransomware racket, they can start a second career in web design. This whole thing is well-polished start to finish.

At the moment, the strain is spread via email with a .scr attachment that pretends to be a document with a Terms-Of-Service update. The social engineering tricks are also professional grade. When the user opens the document, it really displays a fake TOS update in .rtf format. However, in the background, their files are being encrypted.


Both Encrypts And Compresses

Maktub Locker does not need to download a key from a Command and Control server – the data can be encrypted offline. The new and surprising thing is that encrypted files are much smaller than the original ones. It seems this ransomware not only encrypts but also compresses files. What an unexpected benefit!

Well Designed Payment Website For Victims

Today, it's pretty standard to provide a TOR-based website for payments. Maktub is no different, and comes with a "cold- comfort-demo" allowing the decryption of 2 selected files to show they can give you your files back. Both the ransom note and the website are in English.  Here is how it looks, very polite indeed:


Ransom from 1.4 bitcoin to a max of 3.9 bitcoins

Maktub Locker is designed following the "criminal industry standard" that encrypts your data and then ransoms your files for a low amount to start with, in this case 1.4 bitcoins. After a certain amount of time, you enter a new stage where the ransom amount increases, and Maktub ultimately the ransom price tops out at 3.9 bitcoins. Here is their schedule: