Monster ransomware deployed via graphical user interface

A ransomware gang has built a graphical user interface to deploy its ransomware, researchers have found. The group, Monster, is believed to be the first to develop a ransomware GUI and is part of a growing trend among hackers to develop malware that can be deployed on multiple operating systems, making it more dangerous for businesses.

Monster could be the first ransomware variant with a graphical user interface (Photo: scyther5/iStock)

Monster and another group, RedAlert, have been observed by Kaspersky analysts targeting companies around the world since the start of 2022. A new report details how the groups managed to carry out attacks on different operating systems without resorting to cross-platform languages.

The groups have “learned how to adapt their malware to different operating systems at the same time – and therefore cause damage to more organizations”, the Kaspersky report said.

The rise of cross-platform ransomware

It has become increasingly common for ransomware criminals to use cross-platform languages ​​such as Rust or Golang to write their malware, which means it can be deployed more widely. BlackCat and Hive are two gangs that have deployed such tactics.

What sets Kaspersky’s most recent findings apart is that the hackers involved are able to use malware not written in cross-platform languages ​​to simultaneously target different operating systems.

“We’re quite used to ransomware groups that deploy malware written in a cross-platform language,” explained Jornt van der Wiel, senior security researcher with Kaspersky’s Global Research and Analytics team.

“However, nowadays, cybercriminals have learned to tune their malicious code written in simple programming languages ​​for joint attacks, forcing security specialists to devise ways to detect and prevent ransomware attempts. .”

How Monster and RedAlert deploy their ransomware

The Kaspersky team claims that RedAlert uses malware written in plain C programming language, as detected in the Linux sample. However, the malware also explicitly supports ESXi hypervisor environments from VMware. The researchers also note that RedAlert only accepts payments in Monero cryptocurrency, which makes the money harder to trace. “While such an approach may be reasonable from the perspective of criminals, Monero is not accepted in all countries and by all exchanges, so victims may find it difficult to pay the ransom,” says- he.

Content from our partners
Why all businesses need to democratize data analytics
Unlocking the value of artificial intelligence and machine learning
Behind the priorities of tech and cybersecurity leaders

Monster, meanwhile, wrote its malware in the versatile Delphi programming language. It comes with a GUI, which is “particularly peculiar, as we don’t recall seeing it before,” the authors write. “There are good reasons for this as why would anyone strive to implement this when most ransomware attacks are executed using the command line in an automated manner in a targeted attack ?

“The ransomware authors must have realized this too, because they included the GUI as an optional command-line parameter.”