Targeted Ransomware Attacks Middle Eastern Government Organisations For Political Reasons

Unit 42, Palo Alto Networks threat intelligence research arm, has recently observed attacks against multiple Middle Eastern government organizations using a previously unseen ransomware family – based on embedded strings within the malware, Unit 42 has named this malware ‘RanRan’. Rather than being purely financially motivated, the ransom note specifically attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.

Due to the targeted nature of the ransom message delivered by the malware, and the small sample set of this malware family, Unit 42 believe that this attack was targeted in nature. Unit 42 analysis shows no connections between these attacks and the recent waves of Shamoon 2 attacks.

A new blog post provides an analysis of the ‘RanRan’ malware, explores how it works and how it is being used by attackers.

For more information, please see the blog here http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/ , and an extract of the blog is below.

“Recently, Unit 42 has observed attacks against multiple Middle Eastern government organizations using a previously unseen ransomware family. Based on embedded strings within the malware, we have named this malware ‘RanRan’. Due to the targeted nature of the ransom message delivered by the malware, and the small sample set of this malware family, we believe that this attack was targeted in nature. Our analysis shows no connections between these attacks and the recent waves of Shamoon 2 attacks.

The ransom note specifically attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader.

The malware itself is fairly rudimentary and makes a number of mistakes in how files are encrypted. This allowed Unit 42 to create a script that is able to decrypt some files that were encrypted by RanRan.”