A team of Cybereason Labs researchers, headed by Uri Sternfeld, Senior Security Researcher, announced today the discovery of a massive ransomware operation it has named “Operation Kofer”.
After examining samples of several Kofer variants sourced from around the world, Cybereason researchers found they shared the same general packaging and delivery techniques, but incorporated random variables in order to avoid static-signature or hash-based detection. This leads Cybereason to believe they were all created by the same operational group using an algorithm to “mix and match” different components, giving ransomware “APT-like” evasion capabilities. A full analysis of Operation Kofer can be found here.
The fact that the Kofer variants come from a single source is an indication of the commoditization of ransomware at a whole new scale. The analyzed Kofer samples had different hashes and unique characteristics, but share attributes such as fake icons, bogus file names and a distinct packaging pattern that connects what would otherwise appear to be unrelated samples to a single source. In addition to mechanisms that help them evade detection by sandboxes and dynamic detection tools, Kofer variants also include embellishments that attempt to fool malware researchers.
Operation Kofer appears to be the first “drive-by” ransomware operation to incorporate an APT/nation-state level of complexity, making it an increasing threat to organizations. We believe that Operation Kofer already has a European-wide presence, as the researchers identified variants that targeted Spanish, Polish, Swiss and Turkish organizations, among others.
Cybereason’s report, called “Operation Kofer: Mutating Ransomware Enters the Fray” provides a full analysis of Operation Kofer, including key findings, similarities and differences across the samples, detection and mitigation suggestions. For more information, visit or email: kofer@cybereason.com Hashtags: #OperationKofer #Kofer
