Dubbed PureLocker it's written in PureBasic, which is unusual, but it provides benefits to attackers because sometimes security vendors struggle to generate reliable detection signatures for malicious software written in this language.
Intezer security researcher Michael Kajiloti said PureBasic was transferable between Windows, Linux, and OS-X, meaning attackers can more easily target different platforms.
"Targeting servers means the attackers are trying to hit their victims where it really hurts, especially databases which store the most critical information of the organization,"
There are currently no figures on the number PureLocker victims, but Intezer and IBM X-Force have confirmed the ransomware campaign is active with the ransomware being offered to attackers 'as-a-service.'
The service appears to be offered as a bespoke tool, only available to cybercriminal operations which can afford to pay a significant sum in the first place. The source code of PureLocker ransomware offers clues to its exclusive nature, as it contains strings from the 'more_eggs' backdoor malware. This malware is sold on the dark web by what researchers describe as a 'veteran' provider of malicious services. These tools have been used by some of the most prolific cybercriminal groups operating today, including Cobalt Gang and FIN6 -- and the ransomware shares code with previous campaigns by these hacking gangs.