Her emergence in cyberspace has made a huge business ransomware, named "Surgery Coffeer"- which has the ability to migrate to fool the locating mechanisms.
Her researchers Cybereason Labs, after examining various versions of it Kofer ransomware from around the world, discovered that they share the same construction and delivery techniques but also incorporate random variables to avoid static-signature and hash-based detection.
This led the group of researchers to believe that all versions were created by the same hacker team that used a specific algorithm to mix and match the components differently, giving the ransomware evasion capabilities similar to APT.
His specimens Kofer which the experts analyzed, had different hashes and characteristics, but the same traits and qualities, such as fake icons, fake filenames, and a particular packaging pattern that links the samples, which would appear to be unrelated to each other under other conditions, under a single business.
In addition, in the mechanisms that help avoid sandboxes and dynamic detection tools, Kofer variants also include decorative elements designed to deceive the researchers.
"The fact that Kofer variants come from a single source is an example of ransomware's commercialization to a whole new level," said Uri Sternfeld of Cybereason.
"Operation Kofer appears to be the first"drive-by” ransomware enterprise, incorporating an APT/nation-state level of sophistication, making its product an increasingly large threat to companies.
With regard to the uncontrolled proliferation of variants, they were all found and compared in the previous weeks, and they are likely to be new every few days or hours!
Η Cybereason believes that Operation Kofer has already a pan-European presence, as confirmed by the researchers, who identified versions in Spain, Poland, Switzerland, Turkey and others.