Security researchers are warning of a new strain of malware that not only steals data, but also evades attempts to detect and analyse its behaviour by erasing the contents of the host machine.
Discovered by Cisco’s Talos Group, the virus – dubbed Rombertik and distributed via phishing emails – is able to read any plain-text data the user might type into a browser window, such as usernames and passwords, before the input is encrypted to be sent over HTTPS.
More sophisticated, however, is its anti-analysis functionality. The malware is not only able to break out of the secure, sandboxed environments typically used by researchers to study the effects of malicious software, but will also detect when the host machine is attempting to monitor its actions in memory.
If this latter check fails, Rombertik launches an offensive on the infected PC itself, destroying the users’ data or otherwise rendering it unintelligible.
The virus’ first recourse its to overwrite the system drive’s master boot record, locking the computer in an endless reboot accompanied by the message: “Carbon crack attempt, failed”.
If the master boot record is inaccessible, Rombertik encrypts each file in the users’ home folder with a randomly generated cryptographic key, rendering them effectively destroyed unless the key can be retrieved.
Either way, the victim may end up with a complex data recovery scenario to address.
“While Talos has observed anti-analysis and anti-debugging techniques in malware samples in the past, Rombertik is unique in that it actively attempts to destroy the computer’s data if it detects certain attributes associated with malware analysis,” wrote researchers Ben Baker and Alex Chiu on the Cisco blog.
“Looking forward, Talos expects these methods and behaviours to be adopted by other threat actors in the future.”
It is wise to choose a data recovery company who has a track record in recovering from the type of data loss you have experienced.