Researchers at ANY.RUN have recently uncovered a cleverly disguised ransomware called Kransom, which hides within the StarRail game using DLL side-loading and a legitimate certificate from COGNOSPHERE PTE. LTD. This sophisticated malware is designed to evade traditional detection methods by posing as a harmless game.
The Kransom ransomware operates by utilizing DLL side-loading, a technique where a legitimate executable file loads a malicious DLL file, allowing the ransomware to execute its encrypted payload. By impersonating a game, this malware is able to trick users into unknowingly installing and activating the ransomware on their systems.
What makes Kransom particularly deceptive is its use of a legitimate certificate from COGNOSPHERE PTE. LTD. This certificate gives the impression that the software is safe and trustworthy, allowing the malware to bypass security measures and avoid detection. Once the StarRailBase.dll file is loaded by the executable, the ransomware attack is initiated, leaving users vulnerable to data encryption and extortion.
To better understand how Kransom ransomware works, security analysts can upload a sample of the malware to a sandbox environment like ANY.RUN. This interactive sandbox allows for a comprehensive analysis of the ransomware’s execution process, from its initial stages to the completion of its payload. By examining the encrypted payload within the DLL file, analysts can gain valuable insights into the malicious content and behavior of the ransomware.
Upon activation, Kransom displays a message to the user, directing them to contact HoYoverse for solutions to their “problems.” This ominous message serves as a ransom note, indicating that the user’s files have been encrypted and that they must comply with the cybercriminal’s demands to regain access.
For those interested in further exploring Kransom ransomware and its capabilities, ANY.RUN offers a TI Lookup tool that allows for additional analysis of samples within the sandbox environment. By leveraging this tool, users can gain a deeper understanding of the ransomware’s functionality and potential impact on their systems.
In conclusion, Kransom ransomware represents a significant threat to users, as it leverages deceptive tactics to evade detection and carry out malicious activities. By remaining vigilant and utilizing tools like ANY.RUN’s sandbox environment for analysis, users and security professionals can better protect themselves against evolving cyber threats.