A brand new Russian strain of ransomware called Maktub Locker has just appeared.
“Maktub” comes from Arabic and means “fate”. Apparently, the name itself suggests that getting infected with this ransomware is inevitable. The malicious threat was created by professionals with extensive experience in writing malicious code. Considering its design, this newly-found malware is well-polished from start to finish.
Currently, the ransomware strain is distributed via email with a .scr attachment which pretends to be a document with a Terms-Of-Service update. Besides, the social engineering tricks are also professional grade.
Once the user opens the document, it displays a fake TOS update in .rtf format. However, in the background, their files are being encrypted.
Maktub Locker does not need to download a key from a Command and Control server as the data can be encrypted offline. The most intriguing thing here is that the encrypted files are much smaller than the original ones. Looks like Maktub ransomware not only encrypts but also compresses files.
Nowadays, it’s pretty standard to provide a TOR-based website for payments. Maktub is no different, and comes with a “cold- comfort-demo” allowing the decryption of 2 selected files to show they can give you your files back. Both the ransom note and the website are in English.
Maktub Locker is created following the “criminal industry standard” which encrypts your data and after that ransoms your files for a low amount to start with, in this case 1.4 bitcoins. After some time, you enter a new stage where the ransom amount increases, and Maktub ultimately the ransom price tops out at 3.9 bitcoins.
