Ratel RAT ransomware attacks old Android smartphones, encrypting data and demanding ransom

Cybercriminals have started attacking older Android devices using open source malware called Ratel RAT. In fact, it is a type of Android ransomware that encrypts or deletes data, locks the device, and demands payment on Telegram.

Check Point researchers report detecting more than 120 campaigns using Ratel RAT. The sources of the attacks include APT-C-35 (DoNot Team), Iran, and Pakistan. Attackers target high-ranking organizations, including those in the government and military sector, with most victims coming from the United States, China, and Indonesia.

In most of the infections Check Point has investigated, victims were using an Android version that had reached the end of its support cycle and no longer received security updates. This includes Android 11 and older versions, which account for more than 87.5% of the total number of infected devices. Only 12.5% of infected devices are running Android 12 or 13. The victims are smartphones of various brands, including Samsung Galaxy, Google Pixel, Xiaomi Redmi, Motorola One, as well as devices from OnePlus, Vivo, and Huawei. This proves that Ratel RAT is an effective tool for attacking a number of different Android implementations.

Ratel RAT is spread in a variety of ways. Attackers typically use Instagram, WhatsApp, e-commerce platforms, and anti-virus applications to trick people into downloading malicious APK files. During the installation, the ransomware requests access to risky permissions to run in the background.

Ratel RAT has several variants that differ in the list of commands they support. They usually do the following:

Ransomware: starts the process of encrypting files on the device.
wipe: deletes all files in the specified path.
LockTheScreen: Locks the device screen, making the device unusable.
sms_oku: leakage of all SMS (and 2FA codes) to the control server (C2).
location_tracker: transmits the current location of the device to the C2 server.

Actions are monitored from a centralized panel, where attackers can access device and status information and decide on the next steps of the attack.

According to Check Point’s analysis, in about 10% of cases, a command was issued to use ransomware. In this case, files are encrypted on the victim’s smartphone using a predefined AES key, after which the attackers demand a ransom.

By gaining DeviceAdmin privileges, the ransomware has control over key functions of the device, such as the ability to change the screen lock password and add a special message to the screen, often a ransom message. If the user tries to revoke the administrator rights, the ransomware can react by changing the password and immediately locking the screen.

Check Point researchers have observed several ransomware operations involving Ratel RAT, including an attack from Iran. The malware conducted reconnaissance using other Ratel RAT capabilities, after which the encryption module was launched. The attacker erased the call history, changed the wallpaper to display a special message, locked the screen, turned on the device’s vibration, and sent an SMS with a ransom message. The message urged the victim to send them a message on Telegram to «solve the problem».

To protect yourself from Ratel RAT attacks, you should avoid downloading APKs from questionable sources, do not click on URLs embedded in emails or SMS, and scan apps with Play Protect before launching them.

Source: bleepingcomputer