Skip to main content

New Ransomware Targets Removable And Attached Drives

By November 29, 2019May 9th, 2022Cybersecurity

There’s a new and unusual ransomware strain making the rounds that you should be aware of.

Called ‘AnteFrigus,’ it is primarily distributed via ‘malvertising’ that redirects users to the RIG exploit kit.

One of the most unusual features of this strain is the fact that it specifically doesn’t target the C: drive of the target computer.

Instead, it focuses exclusively on drives that are commonly associated with mapped network drives and removable hardware.

BleepingComputer was one of several organizations to discover the ransomware. They all contacted independent security researcher Vitali Kremez to reverse engineer the malware to get a peek under the hood at how it works.

Kremez discovered that this strain only targets the D:, E:, F:, G:, H:, and I: drives.  It does not even attempt to encrypt any files located on the C: drive, nor does it try to do anything whatsoever with unmapped network shares.

In addition to that, the AntiFrigus ransomware is designed to skip any file with the following extensions:

  • Adv
  • Ani
  • Big
  • Bat
  • Bin
  • Cab
  • Cmd
  • Com
  • Cpl
  • Cur
  • Deskthemepack
  • Diagcap
  • Diagcfg
  • Diagpkg
  • Dll
  • Drv
  • Exe
  • Hlp
  • Icl
  • Icns
  • Ico
  • Ics
  • Idx
  • Ldf
  • Lnk
  • Mod
  • Mpa
  • Msc
  • Msp
  • Msstyles
  • Msu
  • Nls
  • Nomedia
  • Ocx
  • Prf
  • Rom
  • Rtp
  • Scr
  • Shs
  • Spl
  • Sys
  • Theme
  • Themepack
  • Wpx
  • Lock
  • Key
  • Hta
  • Msi
  • Pck

The facts that the ransomware studiously ignores the C: drive and the list of extensions the malware won’t encrypt are curious. This all had many people scratching their heads trying to discern why the developers would build their code in this way.

Upon review, Kremez concluded that the developers are not terribly sophisticated and are, at this point, still in the experimental stages.  The code is still very much a work in progress.  Work in progress or not, it can be dangerous. Be sure your staff is aware of this latest threat.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.