Cybereason Discovers Massive Ransomware Operation That Automatically Generates Variants for International Distribution

Dubbed "Operation Kofer" By Cybereason Labs, its Mutating Ransomware Demonstrates APT-like Sophistication for Evading Signature and Hash-based Detection

Jul 08, 2015, 08:00 ET from Cybereason

CAMBRIDGE, Mass., July 8, 2015 /PRNewswire/ -- Cybereason today announced the discovery of a massive ransomware operation it has named "Operation Kofer". After examining samples of several Kofer variants sourced from around the world, Cybereason researchers found they shared the same general packaging and delivery techniques but incorporated random variables in order to evade static-signature or hash-based detection. This leads Cybereason to believe they were all created by the same operational group using an algorithm to "mix and match" different components, giving ransomware "APT-like" evasion capabilities. A full analysis of Operation Kofer can be found at

"If the Kofer variants are in fact coming from a single source, then this can indicate the commoditization of ransomware at a whole new scale," said Uri Sternfeld, Senior Security Researcher at Cybereason. "Our best suggestion to minimize the impact of ransomware is to run frequent backups using an external drive and use endpoint monitoring and detection technologies to limit the scope of such attacks."

The Kofer samples analyzed had different hashes and unique characteristics, but share attributes such as fake icons, bogus file names and a distinct packaging pattern that connect what would otherwise appear to be unrelated samples to a single source. In addition to mechanisms that help them evade detection by sandboxes and dynamic detection tools, Kofer variants also include embellishments that attempt to fool malware researchers.

Operation Kofer appears to be the first "drive-by" ransomware operation to incorporate an APT/nation-state level of complexity, making it an increasing threat for organizations. Cybereason believes that Operation Kofer already has a European-wide presence, as the researchers identified variants that targeted Spanish, Polish, Swiss and Turkish organizations, among others.

Cybereason's report, called "Operation Kofer: Mutating Ransomware Enters the Fray" provides a full analysis of Operation Kofer, including key findings, similarities and differences across the samples, detection and mitigation suggestions. For more information, visit or email  

About Cybereason:
Cybereason was founded in 2012 by a team of Israeli cybersecurity experts that applied their experience cracking some of the world's most sophisticated hacking operations to develop software that enables real time detection and response to complex cyber attacks. Using big data, behavioral analytics, and machine learning the Cybereason platform identifies signature and unknown, non-signature based attacks and presents a birds-eye view of the complete attack story to security teams. This eliminates the need for manual investigation and radically reduces response time for security teams. The platform is available as an on premise solution or a cloud-based service. Cybereason is privately held and headquartered in Boston, MA with offices in Tel Aviv, Israel. 

For more information, please visit:


SOURCE Cybereason