The Check Point security researches reported a change in the Kovter malware’s mode of operation, which has slowly morphed into a weak crypto-ransomware variant.
Kovter is a simplistic ransomware version which appeared in 2013. The infection was locking users’ computers and displaying a message asking them to pay a fine or face legal action. Usually, the message was posted using insignia and graphics specific to local law enforcement, depending on the user’s country of origin.
Due to the fact that these types of ransomware campaigns started to become ineffective, by 2014, Kovter evolved and specialized in click-fraud activities, loading and clicking on ads behind the user’s back.
This lasted for two years and during that time, Kovter became popular for its fast pace at which it evolved, always adding new features. However, the peak of this update cycle was reached in the autumn of 2015, when Kovter turned into a fileless threat, living in the infected computer’s memory and Windows registry.
Over the past few months, Kovter ransomware has started becoming a big business and his creators have decided to evolve the malware’s codebase once again, bringing it back to where it all started.
In fact, the new version of Kovter does not look like the original one at all because, instead of locking users’ computers, Kovter now encrypts their files.
Fortunately, according to Check Point, Kovter ransomware can’t yet rival Locky or TeslaScrypt just yet, and that its encryption can be defeated.
The researchers have explained that Kovter does not encrypt all the files, but only the first few bytes of each file, and then it stores the encryption key on disk. This decryption key can be discovered and used to unlock all encrypted files.
The problem is that Check Point hasn’t released a decrypter for this ransomware yet, which means that there is no simple point-and-click solution to recover the files. In this case, the infected users might need the help of a professional to get their data decrypted.
Yet, the strangest thing about Kovter ransomware is the fact that its creators seem to have been preoccupied more with avoiding antivirus detection, rather than using a strong encryption algorithm.
