In recent years, the world of cybercrime has seen new and increasingly sophisticated threats that can affect a wide range of targets. One of the most concerning new features in this field is ransomware, which has recently been analyzed by several cybersecurity experts. They had the opportunity to interview members of the ransomware gangs behind this dangerous threat.

The Rise: Cross-Platform Ransomware

Not just ransomware. Its ability to run on systems makes it particularly dangerous. This is because it allows its operators to target various infrastructures, including those traditionally considered more secure, such as servers. The adoption of a cross-platform strategy represents a significant evolution from traditional ransomware, which typically focuses on a single platform. This characteristic is reflected in the structure of the malicious code, which is developed using multi-platform programming languages, allowing it to be compiled and executed on different hardware architectures and operating systems. This is precisely why it is particularly adaptable and lethal, enabling it to attack heterogeneous systems within corporate networks.

technical characteristics

From a technical perspective, it boasts multiple advanced features. Firstly, the ransomware employs - and - encryption algorithms, ensuring a high level of security for file encryption. This makes it nearly impossible to recover affected files without the decryption key. Once executed on the target system, it conducts a comprehensive scan of valuable files, including documents, databases, and backups. It also scans configuration files critical to service operations. One of the most insidious aspects is the use of lateral movement strategies, which allows the malware to spread rapidly across the network, infecting multiple devices. The ransomware exploits known vulnerabilities () in commonly used network services and applications within the system, opening the door for further attacks. This ability to move laterally within the internal network significantly enhances its effectiveness, making it difficult to stop once the infection begins. Additionally, it includes a data exfiltration component. Before encrypting files, the ransomware sends copies of the most sensitive data to a remote server controlled by the attackers. This creates a second ransom mechanism: threatening to release or sell the stolen information if the ransom is not paid. This double extortion is an effective strategy in modern ransomware activities.

The gang behind it

We had the opportunity to interview a member of the behind-the-scenes gang. During the interview, we witnessed a disturbing picture of the motivations and strategies employed. The gang stated that their primary targets are not only large corporations but also critical infrastructure such as hospitals, energy networks, and public administration agencies. They believe that these organizations have "sufficient funds to pay" but are also easy to attack due to their reliance on legacy systems and poor security. Another interesting point that emerged in the interview is their attempt to establish their own brand in the ransomware-as-a-service () sector. In fact, they offer malicious software to affiliates through a business model, allowing less experienced cybercriminals to use the platform for ransomware attacks in exchange for a percentage of the ransom obtained. This decentralized structure allows the gang to operate on a larger scale, exponentially increasing the number of potential victims.

How to defend

To address this threat, a comprehensive security strategy must be implemented, encompassing both preventive and reactive measures. In the best practices for reducing infection risk, we recommend:

1. Continuously update systems and applications to fix known vulnerabilities.
2. Network segmentation, to limit the damage caused when a device is compromised.
3. Regularly back up the most critical data, either offline or on storage platforms with restricted access.
4. Implementing advanced threat detection solutions, such as Endpoint Detection and Response (EDR), can identify suspicious lateral movement within the network.
5. Continuously conduct employee training to prevent phishing attacks and other social engineering tactics, commonly used to spread ransomware.

The evolution of ransomware towards cross-platform models represents a qualitative leap, requiring equally advanced responses. Businesses must invest in proactive and innovative security measures, as cybercriminals, such as those behind this, continuously develop new techniques to bypass traditional defenses. This ransomware is just the beginning of increasingly common cross-platform threats in the future. Rapid and accurate prevention, mitigation, and response will be key to survival in the modern digital environment.