Rakhni: A Virus that decides whether your PC is good for Crypto-Mining or Ransomware

January 3, 2019
A Virus that decides whether your PC is good for Crypto-Mining or Ransomware

Ransomware and Cryptocurrency mining attacks have been very frequent this year. Attacking not only unsuspecting individuals, but corporate systems as well. They share a few similarities and mostly engage in digital currencies. And like other malwares and hacking tools, they are also on the verge of evolving. These are both non-complex intrusions in nature but make no mistake, they have the power to take over your CPU resources to achieve their goals. These attacks are at the very top of cyber threats this year.

Security experts from Russian Security firm Kaspersky Labs have just discovered a virus. A ransomware to be precise, upgraded and capable of doing both ransomware functions and crytocurrency mining. The virus can infect systems and decide automatically if it’s best for either ransomware or cryptocurrency mining. Taking over a computer system for ransom isn’t always a sure fire way of a guaranteed payout. Especially if the victim has nothing important to lose. With this dilemma, cybercriminals have probably found a way to extract money from victims via dubious cryptocurrency mining.

Named the Rakhni malware, it is being spread out via spear phishing emails attached to an MS word file that when opened, lures the victim to open it. Then in the background, the virus begins to execute anti-sandbox verifications and anti-VM checks in order to decide if it could inject into the system without any trace. Once its conditions are satisfied, it then performs more advanced checking algorithms to decide which payload to deliver – miner or ransomware.

Scared already? Wait, there’s more – this extraordinary virus also has Spyware functionality.

In order of processes, here’s how the virus works:


  1. Ransomware installation using RSA-1024 encryption.


  1. Miner program installation using the MinerGate utility and DSH in the background.


  1. Installation of Fake Root Certificates.


  1. Worm Component Activation to spread across the local network.


  1. If no AV is found, the malware executes several commands to disable Firewall and Defender.


Like all other threats, the best possible way to protect your system is to ensure you have the latest AV software and definitions, updated software patches, trusted browser add-ons, and the most important – don’t ever open suspicious emails or files in your email.

About the author

Leave a Reply