Maktub, also known as MaktubLocker and Iron, is a newly observed ransomware tool being sold using a malware-as-a-service model.
It is delivered via smaller-scale spam campaigns containing a malicious attachment. This attachment contains a rich text format document resembling a Terms of Service (ToS) agreement. Unlike most malicious attachments, this document appears to be a legitimate ToS agreement, and is believed to be included as a way to occupy the user while the malware is installing.
Once installed, Maktub checks the keyboard locale list, only proceeding if it does not detect Russian values on the list. Encryption uses the Windows Crypto API and targets all local, network and external drives. Files are also compressed before encryption, possibly to increase the speed of the process.
Maktub Locker has clearly been developed by professionals. The full product’s complexity suggests that it is the work of a team of people with different areas of expertise.
Further technical details here
Microsoft Windows – All versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.