Recently, researchers have discovered ransomware encoded in PureBasic, hence its name PureLocker. It is able to encrypt files on Windows, Linux, and Mac OS X and targets web hosting production servers.

The PureLocker ransomware is unconventional, written in PureBasic, it can attack Windows, Linux, and Mac OS X environments. PureLocker ransomware has many features that demonstrate the sophistication efforts of cybercriminals.

This ransomware, discovered by IBM's Intezer and Iris X-Force teams is used in targeted attacks against Windows and Linux production servers. Among the strange things in PureLocker, the researchers found that it was written in PureBasic, an uncommon programming language.

"This unusual choice has advantages for attackers since Antivirus vendors are struggling to generate reliable detection signatures for PureBasic binaries. In addition, the PureBasic code is portable on Windows, Linux, and Mac OS X, making it easier to target different platforms."

Another unusual attribute of PureLocker, its ability to escape through an anti-hooking technique by downloading a copy of the DLL "NTDLL.DLL" and manually changing the API addresses. The connection via these APIs allows the antivirus to see which function is called by a program, when and with which parameters.

PureLocker mainly targets the Windows and Linux infrastructure and the attackers use many evasion techniques to go unnoticed and thus the ransomware was not detected for several months.

PureLocker the Multi-OS Ransomware Targeting Servers

PureLocker is distributed as a Ransomware as a Service (RaaS) that is used in attacks directed against enterprise servers. A sample of Windows-compatible ransomware, which was passed through a C++ cryptography library, called Crypto ++, was used by researchers to deepen and analyze the sample. They found the following characteristics:

  • There is no connection to the Crypto++ code, which means that the sample is not a real library.
  • The file contains reused code from several malware families, mainly from Cobalt Gang binaries. This means that the file is malicious and may have relations with it.
  • Most of the relevant code in this file is unique, indicating that it is likely to be a new or highly modified malware.
  • During infection, the malware code performs a series of checks to ensure that the file is executed as expected by the authors of the malware and exits if any of these checks fail.
  • Once the malware executes its payload, it removes itself and also uses several anti-analysis techniques.


Another point, the malware asks a command-line utility under Windows, called regsrv32.exe to install, in silence, without opening a dialog box, the components of PureLocker. The latter then checks whether regsrv32.exe has been executed and that the file extension has become .DLL or .OCX.

It also scans the current year on the machine (in this case 2019) and if the compromised PC has administrator rights. If any of these checks fail, PureLocker stops working. "This type of behavior is not common among ransomware who prefer to infect as many victims as possible in the hope of getting as much profit as possible," observes the experts.

If the checks are validated, PureLocker encrypts the files with a combination of AES + RSA standard, using a hard-coded RSA key. It adds the extension .CR1 for each encrypted file. Before disappearing, the ransomware leaves a note to the user (see image below), but this message is again quite strange. No cryptocurrency amount to recover the locked files, but the message asks the victims to send an email to a secure Proton email address.

PureLocker the Multi-OS Ransomware Targeting Servers


In their analysis, the researchers observed that PureLocker used snippets of known malware such as "more_eggs" which is sold on the Dark Web. Specialists point out that groups of cyber criminals like Cobalt or FIN6 use this type of code.