Could this proof-of-concept ransomware gain traction among attackers?

A developer published via GitHub a proof-of-concept (POC) ransomware program featuring strong compatibility with the post-exploitation tool Cobalt Strike, open-source coding, and extensionless encryption.

The author claims the program, dubbed Povlsomware, is designed to be an educational tool for testing anti-virus protections; however, it’s possible that cybercriminals could adopt and modify the code in order to launch their own attacks, warns Trend Micro, which detailed the ransomware in a new company blog post this week.

The good news is that Trend Micro researchers have not seen Povlsomware discussed among members of dark web cybercriminal discussion forums. And at least some experts said it’s unlikely the program will gain significant traction among prominent cybercriminal players due to a lack of malware support infrastructure.

Such assessments are important as the threat intelligence and cyber research community track the evolution and popularity of various malware programs in order to stay on top of the latest trends. But this news also leads to some interesting questions: What are the motivations for posting a POC ransomware program online? And when a new POC malware emerges, what are the factors that ultimately lead it to become successful or disappear?

The nature of the malware

“Povlsomware is a Ransomware Proof-of-Concept created as a ‘secure’ way to test anti-virus vendors claims of Ransomware Protection,’ states developer “PovlTekstTV” on his or her GitHub page. “Povlsomware does not destroy the system nor does it have any way of spreading to any network-connected computer and/or removable devices.”

Despite this disclaimer, Trend Micro expressed concern, noting some of the malware’s alluring features. First and foremost, it works well with the post-exploitation tool Cobalt Strike, which enables the program to perform in-memory loading and execution.

Without tools like Cobalt Strike, “security products will likely block such attacks and even restoration of encrypted files is possible, bringing the impact to somewhat on the low side, but only with the default code by itself,” said Don Ovid…