Barkly vs Malware
Barkly Research
Jul 2018

Malware Installs Ransomware or Coinminer Depending on Victim


Latest version of Rakhni ransomware scans victim systems to decide whether infecting them with ransomware or a coinminer would be more profitable.

During the past 12 months, one of the most notable trends in malware has been the massive decline in ransomware volume and corresponding boom in cryptocurrency-mining malware. We dug into the contributing factors behind that trend in our "10 Must-Know Cybersecurity Statistics for 2018" post back in February (in a nutshell: with fewer victims paying ransomware demands thanks to heightened awareness and good backup, miners provide criminals with a stealthier, more profitable alternative). 

In the months since that post, the growth in cryptomining malware has continued to ramp up, with many malware authors adding miners to their campaigns either as additional modules or later-stage payloads.   

Now, as researchers at Kaspsersky point out, even one of the oldest ransomware strains appears to be adapting to the times and getting in on the act. But rather than just tacking on a cryptomining module as an afterthought, the authors behind Rakhni ransomware are taking a different approach, using an installer to scan infected computers first, and determine which type of payload will be more effective. It then fetches and deploys either the ransomware or the miner accordingly. 

Rakhni ransomware: Old malware with new tricks

Rakhni has been active since 2013 and has largely kept a low profile. It has been primarily distributed via spam campaigns launched at would-be victims in Russia. The latest emails are disguised as financial messages with a malicious Word document attached. When opened, the document prompts the user to enable editing and open what appears to be an embedded PDF file.


Microsoft Word document used in Rakhni ransomware campaign. Source: Kaspersky

Clicking on the file issues a prompt asking the user to confirm whether they want to allow the program "AdobeReaderPlugin.exe" to make changes to their computer. After permission is granted, the Rakhni downloader gets to work. 

At first, the downloader tries to fool the victim by displaying an error message, thereby suggesting the file did not run. Meanwhile, in the background, the malware performs various anti-VM and security checks to decide if it can run without being detected. If it sees that specific processes or registry key values are present, it will stop the infection process short. The downloader also checks to see if specific antivirus programs are running. If not, it assumes Windows Defender is running and will attempt to disable it. 

At this point, if all its checks are clear, the downloader installs a forged root certificate made to look like it was issued from Microsoft or Adobe. Any downloaded payloads are signed with this certificate in an attempt to help them appear legitimate and evade antivirus detection. 

With these steps completed, the downloader then has a decision to make: which payload should it retrieve and deploy? The ransomware or the miner?

The decision: To mine or to encrypt?

The selection criteria for selecting which payload to download is relatively straightforward:

  • If the malware locates a Bitcoin folder on the victim’s computer, it will deploy the ransomware (an executable named taskhost.exe). The program searches out files with a variety of extensions, encrypts them, and changes their extension to .neitrino. A ransom note (MESSAGE.txt) is left in each encrypted directory demanding payment within three days.

    Rakhni ransom note. Source: Kaspersky

    Why make deploying the ransomware dependent on a Bitcoin folder being present? Any attempts to understand the rationale are merely a guess, but one possibility is that attackers assume if victims already have Bitcoin that makes it easier (and more likely) for them to pay. 
  • If the machine does not possess a Bitcoin folder and has more than two logical processors (providing adequate power to conduct effective cryptomining), the malware will instead deploy the miner. The miner is launched via a VBScript file named Check_Updates.vbs that runs after an OS reboot. The miner module has the ability to mine cryptocurrencies like Dash (DSH), Monero (XMR), and Monero Original (XMO), and is disguised to look like svchost.exe. 
  • If the machine does not fit either of these criteria (it doesn't possess a Bitcoin folder and has only one logical processor), the malware instead activates a worm component designed to spread the malware throughout the local network so it can infect computers that do. 

A sign of things to come?

With the decline in ransomware and increase in banking trojan and cryptomining payloads, malware campaigns appear to be at a crossroads. The changes to Rakhni are extremely illustrative of the different paths that campaigns can choose to take. But the decision isn't simply about choosing between ransomware and cryptomining, it's about choosing between overt disruption and covert stealth. Do attackers believe they can make more money loudly extorting victims, or by silently siphoning off their private information and/or selling access to their systems by staying under the radar? 

The changes to Rakhni make one thing clear — attackers understand that trying to take both of these paths at once isn't feasible, but there may actually be a third path, as well. By gathering information about infected systems first, attackers can make more informed decisions about which types of payloads and attacks are most appropriate to launch before possibly tipping their hand. Rakhni represents an initial baby step in that direction, but it's easy to imagine more sophisticated downloaders being developed to conduct additional reconnaissance and deploy payloads more effectively to ensure greater impact (think SamSam, but even more automated). 

Why prevention is key and how Barkly can help


Barkly blocks Rakhni ransomware.

Advances in downloaders and a shift to more evasive tactics puts a strong emphasis on preventing initial malware infections in the first place. That's why Barkly has been designed not just to block payloads, but to also block malware delivery and retrieval techniques at the earliest possible opportunity.  

To find out how Barkly does it and how you can sabotage attack chains and block infections before they start, download our free guide:


Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.