Apocalypse: Ransomware which targets companies through insecure RDP

Beyond a shadow of a doubt 2016 has been the year of the ransomware. So it comes as no surprise that new ransomware families are popping up on weekly basis. Emsisoft has been on the frontline battling ransomware for years now, providing users with valuable tools allowing them to recover their files after ransomware attacks. As a result Emsisoft researchers often find themselves at the receiving end of hate from ransomware authors. Late last year, we took a look at Radamant, whose authors included some rather unkind messages after our research team broke their amateurish ransomware. Today, we want to take a look at a new ransomware family Apocalypse, that reared its ugly head about 2 months ago, that recently started spewing insults towards our team as well.

Meet Apocalypse

The Apocalypse ransomware was first seen on the 9th May. The main attack vector is weak passwords on insecurely configured Windows servers running the remote desktop service. This allows an attacker to use brute force to gain access and means they can easily interact with the system as if they had access in person. Abusing remote desktop has become increasingly common over the last few months, especially for running ransomware like Apocalypse.

The earliest variants install themselves to %appdata%\windowsupdate.exe and create a run key called windows update to both HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE. This variant uses the .encrypted extension. A ransom note is created for every file in the form of *filename*.How_To_Decrypt.txt. The dr.compress@us1.l.a/dr.compress@bk.ru/dr.jimbo@bk.ru/dr.decrypter@bk.ru email addresses are used in the ransom note.

On June 9th, another version of the Apocalypse was discovered. This variant uses a different location, run key name and email address. The ransomware installs itself to %ProgramFiles%\windowsupdate.exe, and creates a run key called windows update svc. The email address used in this variant is decryptionservice@mail.ru.

On June 22nd, the newest variant was discovered, which changed a lot more. Instead of using windowsupdate, it uses firefox as a name instead. The newest version installs itself to %ProgramFiles%\firefox.exe, and creates a run key called firefox update checker. The new extension is .SecureCrypted and new name for ransom note *filename*.Contact_Here_To_Recover_Your_Files.txt. The email address used is recoveryhelp@bk.ru.

A closer look into the latest variant

To give you a better idea on how Apocalypse operates, we want to take a closer look at one of the newest variants with the hash AC70F2517698CA81BF161645413F168C. The ransomware first checks the default system language and if it is set to Russian, Ukrainian or Belarusian then the ransomware will quit and not encrypt the system.

The ransomware then copies itself to %ProgramFiles%\firefox.exe, if it doesn’t exist there already, and sets the hidden and system attributes. It also falsifies the timestamp of this file using the explorer.exe timestamp. Then a run value is created, so the ransomware can run on every startup:

Creation of the run values

Once installation is complete, it then runs the newly created firefox.exe, which then deletes the file. The firefox.exe file does two different tasks at the same time: First, it periodically checks whether certain Windows processes are running and then kills them. Second, it starts the encryption routine where it gets a list of all removable, fixed or remote network drives; the latter however is never encrypted due to a bug in the ransomware. The ransomware then scans all folders and any files found will be encrypted.

However, the malware will not attempt to encrypt any files if they end in one of the following text strings:

• .exe


• .dll


• .sys


• .msi


• .com


• .lnk


• .tmp


• .ini


• .SecureCrypted


• .bin


• .bat


• .dat


• .Contact_Here_To_Recover_Your_Files.txt

Files located in the Windows folder are skipped as well.

To encrypt a file, the ransomware first checks whether it is encrypted already by comparing the first four bytes of the file against the magic value: 0xD03C2A77. If the file is not encrypted already then it will encrypt the content of the file in memory using a custom XOR based algorithm:

Example of a Apocalypse encryption loop

The exact algorithm varies slightly from variant to variant. The magic value and encrypted content will then be written to the file and SecureCrypted is added to the filename. Before closing it, the original file timestamps will be restored and the following ransom note is created for the file:

A L L Y O U R F I L E S A R E E N C R Y P T E D

All your data – documents, photos, videos, backups – everything is encrypted.

The only way to recover your files: contact us to the next email: recoveryhelp@bk.ru

Attach to e-mail:

1. Text file with your IP server as Subject (To locate your encryption algoritm)

2. 1-2 encrypted files (please dont send files bigger than 1 MB)

We will check the encrypted file and send to you an email with your

Decrypted FILE as proof that we actually have the decrypter software.

Remember:

1. The FASTER you’ll CONTACT US – the FASTER you will RECOVER your files.

2. We will ignore your e-mails without IP server number in Subject.

3. If you haven’t received reply from us in 24 hours – try to contact us via public e-mail services such as Yahoo or so.

The ransomware also creates a window which it displays to the user with a similar ransom note:

The screen that the ransomware displays to the user

One interesting aspect of this screen is that within the code which creates it, the ransomware author hid messages to Emsisoft:

The Apocalypse developer insults “emissoft”

As before, we see messages like this as validation of our work and consider it a backwards compliment.

How can I decrypt my files encrypted by this ransomware?

As for many other ransomware families, Emsisoft provides a free decrypter to all Apocalypse victims that allows them to decrypt their files for free.

The Emsisoft Apocalypse decrypter at work

The decrypter is available for download at our Emsisoft Decrypter portal here.

How can I protect myself?

Due to the nature of the attack protection software is rather ineffective. If the attacker manages to get access to the system via remote control, they can simply disable any protection software installed or add the malware to the protection software’s exclusion list.  It therefore is imperative to prevent the attacker from gaining access to the system to begin with.

The most important line of defense is a proper password policy that is enforced for all user accounts with remote access to the system.  This does apply to rarely used accounts created for testing purposes or by applications as well.

Even better would be to disable Remote Desktop or Terminal Services completely if not required or at least to use IP address based restrictions to allow the access to these services from trusted networks only.

Related Posts:

• Decrypter for HydraCrypt and UmbreCrypt available


• New Cryptolocker copycat PClock2 discovered that targets…


• New Ransomware Alert: CryptoLocker copycat PClock discovered


• Ransomware Cryptowall makes a comeback via malicious help…


• Stay one step ahead of ransomware – Emsisoft’s…

Apocalypse: Ransomware which targets companies through insecure RDP

Public Wi-Fi – is it safe?

Stuck without a data connection while you’re out and about? Free public Wi-Fi offers you quick access to the internet in airports, cafes, hotels, main street hotspots, even fast food chains. Burger, fries, and Wifi password please! You can work or play while you wait and, best of all, it’s free. But is it secure? The clue is in the name – ‘Public’ not ‘Private’ Wifi.

When you access a website, it usually needs 10-30 computers in-between to send the data. A typical route is that you connect to your router, your router connects to your Internet Service Provider’s (ISP) main router. That router connects to an international overseas router, then that one to the main datacenter core router, and finally to the destination webserver.

It sounds complicated, but basically, each of those machines, or hops, processes your website request and passes it along until it reaches the destination server, or website, you were accessing.

So, what’s the danger?

At each one of these hops, your data is received and moved along. If this data is unencrypted, each hop can also log in and watch it. So, you should automatically assume that everything you do while connected to a public Wifi network is able to be seen. Further, cyber-crime is ever-changing but there are three very specific recurring threats facing public Wi-fi users.

Man-in-the-middle attacks

This is where someone on the same public network is able to get their PC between you and the destination webserver (the website). If positioned correctly, a web pickpocket can simply pluck your passwords, emails, documents, even your logins, from the air. Instead of skulking in back alleys, now the Artful Dodger sits comfortably with a laptop, software and a cup of coffee while you pay your bills online as they watch. If they are able to  intercept passwords and usernames, these elusive men-in-the-middle can also do some amateur theatricals known as spoofing.

Spoofing is when a con artist impersonates someone else and starts a conversation with you. They can even impersonate you to someone else at the same time and be in the middle of a correspondence, opening up all sorts of nasty possibilities. For example. Any router hop (one of the ten to thirty computers we mentioned before) between source and the destination computer may ‘pretend’ to be the destination computer for say, PayPal.com. When your browser connects to the this hop, it expects that the response is actually coming from PayPal. It checks the server certificate to see if it is from a Trusted Root Authority such as Verisign. But if someone has hacked the certificate authority, when you arrive at this hop, your computer may be infected with malware that makes your computer believe it that the Server Certificate is Authentic when it isn’t. It will show green and away you go with your credit card details only to have them sent straight to a cyber-criminal.

Sniffing

Sniffing involves similar technical access, but is instead the constant monitoring of public network traffic, grooming for passwords and interesting data. It’s electronic snooping that needs only some software on a laptop and a certain lack of morality. Just one of the things they can steal is the session cookies that keep you logged on to  websites that retain passwords and credit card information, such as Ebay, Mail and Amazon. A bloodhound is sniffing and stealing your private data. That person with the laptop in the corner might not be on Facebook after all.

Malware Invasion

Malware is malicious software downloaded to your PC over a network. It gives someone access to your computer without you even knowing it. For instance a hacker can set up a Wifi network with a name just like the one you’re expecting.  You look up ‘Joes Cafe’ instead of ‘Joes,’ innocently log on and now the hacker can access your computer and install their malware to record your passwords, send you to unsafe websites or send 1000 spam emails from your Outlook account.

Though the threat landscape is rapidly changing, there is some good news. You can prevent Malware invasion with a top grade anti-malware program.

Emsisoft Anti-Malware

Let’s look at what you can do to get some protection from man-in-the-middle and sniffing attacks too.

How do you protect yourself?

• Small settings changes: Select the option to use authentication and SSL in Outlook’s advanced email settings. This creates an encrypted link to help keep your emails private. If you’re using a webmail service check with that service how to add SSL encryption or look for HTTPS in the web address, a standard encryption protocol that delivers your information privately.


• Turn file sharing off in the advanced network and internet settings. If you’re usually working in an office where you share files then turn this off when out and about – it’s an open invitation for sniffers!


• Turn your Wifi off when you don’t need it.


• Check the name of the network is correct. Sniffers set up their own hotspots hoping you’ll log in and show them everything.


• Only use https websites for secure information. The ‘s’ added to the http shows that the connection is delivering the data securely by using SSL – a secure encryption protocol. Any website that requires sensitive information should use SSL and be identified by the https: at the start of the website address,  like our License Centre:


• Use cell data for sensitive browsing. If you’re doing anything you wouldn’t want someone snooping on, such as internet banking or online shopping where your credit card details are required, use your own laptop data, or your cellphone’s personal hotspot.

Extra security measures you can take

Software – keep your software up to date so you don’t get download requests on the move. If you do get requests be very very suspicious. Ensure you are running, and regularly update quality anti-virus software.

VPN  – a Virtual Private Network service channels your data through their encrypted tunnels so it is secured from prying eyes. Do some homework first. Learn what suits your needs best and understand how it works. It isn’t a complete solution, and they’re still susceptibilities, but it does help.

Firewall – your built in Windows firewall can help stop others accessing your PC, which is good. But it won’t protect the data you are transmitting over the public wifi. Still, it adds an extra layer of protection.

A word on Encryption

Public Wifi often boasts localized encryption. Additionally, you can run an encryption programme on your laptop to encrypt data transfers. But what do these two options actually offer?

Many public Wifi networks now use WPA2 encryption. This secures the wireless transfer from your computer to the local router at the heart of the Wifi hotspot. That’s good, but what happens next isn’t. The router then sends your data to the internet with no encryption. It’s at this point someone can sniff or record it. Unfortunately, our data is still not safe.

You can also use various encryption tools on your laptop. For instance you can encrypt a folder or file in the advanced tab of its properties. You can also set Outlook to encrypt emails which can then only be read by someone with whom you have shared certificates. Microsoft’s BitLocker is built in to Windows and can encrypt your whole hard drive. Additionally, you can use browser based tools to encrypt online email clients.

But all of these tools needs a good level of knowledge and experience to use effectively and without that they may provide a false sense of security. Like some of those electrical goodies you buy really cheap online with an instruction manual of 100 pages of incomprehensible English, it simply is just not that easy. If you don’t know how it works, you won’t know if it’s even working. Our sage advice is not to use them.

The last word on keeping safe

We’ve discussed some settings you can adjust on your laptop, and some simple things you can do to help keep your data safe.

If you still really need to use public Wifi for everything we’ve suggested three security measures you can take.

But ultimately the four things that will keep you safe on public Wifi networks are:

• Don’t use public Wifi for any sensitive information. Turn it off and use your own mobile broadband.


• Have the latest and best anti-virus and anti-malware protection installed and regularly updated, such as Emsisoft Anti-Malware.


• Install and run Emsisoft Internet Security. Its firewall helps to keep your PC invisible to others on public wifi.


• Clean your computer regularly with the Emsisoft Emergency Kit which can be used without installation.

Have a happy (malware-free) day!

Your Emsisoft Team.

 

Related Posts:

• E-mail encryption: this is how it works


• Protecting your information with hard disk encryption –…


• What’s the point of having a firewall?


• Warning: There’s a rabid POODLE running loose in SSL


• 40 Reasons Why You DON’T Need An Antivirus

Public Wi-Fi – is it safe?

Potentially Unwanted Programs (PUPs) – What you need to know.

Malware, Trojans, Bugs – these very words strike fear in the heart of all of us, evoking images of lines of falling code, skulls and crossbones. These malicious programs are the filth of the Internet, the proof that with every useful technology there is an equal and opposite piece of garbage that at times could have adverse effects on your system.

A potentially unwanted program (PUP) is exactly what it sounds like; software that you may or may not want clogging up your system. PUPs are similar to malware in that they cause problems when downloaded and installed, but what makes a PUP different is that when you download one, you are doing it with your consent.

The term PUP was first coined as a means of defining this downloadable adware or crapware as something other than malicious software. PUPs often employ huge amounts of system resources and are a common cause of clunky operating systems, but are not considered malicious or harmful. However, they are often annoying, creating new toolbars in your web browser for shopping sites, changing your search provider from Google to Bing without reason, popping up ads constantly or giving you regular weather updates from Swaziland. Some are even aggressive by intentionally slowing down your computer to later sell you system-tuning or miracle speedup tools.

Adware loads annoying toolbars into your web browser

Why do PUPs exist? To earn revenue for software developers who are providing their software for “free”. For each successfully installed browser toolbar for example, a freeware maker earns about $2. Some PUPs exist just to make cash without ever providing anything useful to you.

So, how do you get one (or ten)?

A PUPs behaviour is usually outlined in a EULA (End User License Agreement): this is that really long document that appears while you are going through all of the the installation windows happily clicking accept to get to the end of it all. But, this seemingly useless directory of legal speak, lists out a program’s intentions. PUPS require your approval via that accept button in order to be installed. They count on you approving the download yourself. This protects software developers from any legal action. They rely on your speed to get through the installation process and expect that you won’t read the EULA before scrolling immediately to the bottom and hitting that ever-so-satisfying ACCEPT.

So, how do they get into your system?

Like the Christmas paper on your shiny new toy, PUPs are wrapped around your downloads and not only from the small freeware vendors. Many big names bundle pups too, such as:

 

Adobe Acrobat reader asks you to approve auto updates

 

Microsoft- Skype asks you to change your browser and homepage

 

Oracle adds toolbars through the Java installation

Another way that PUPs find their way onto your computer is through download portals; those sites you visit to update your Adobe products or to find a decent media player. Most portals claim to offer “clean and safe downloads.” However, trusting any download portal at all has become risky due to litters of bundled PUPs teamed with software reviews on the site that don’t quite seem legit.

We researched how many PUPs were tangled in with the 50 most popular applications on Download.com where we found that 31 out of 50 tested Download.com applications bundled PUPs. See: Top 50 Download.com applications bundle toolbars and other PUPs.

Shocked by the results, we decided to look into the habits of the ten most popular download portals (other than download.com) to see which, if any, were safe to use. We downloaded their top ten most popular applications and noted exactly how much crapware came with them. We discovered that nearly every download portal contained at least one or more PUP. See: Mind the PUP: Top download portals to avoid

The problem with the bright green button.

You decide it’s time to organise all of the photos on your computer. They’re sitting around in messy folders and it’s impossible to find any specific photo when you need it. So you download a photo program to help you organise them and even edit them if you so choose. Download.com has a list of programs right there on it’s landing page. You choose your program and there glows that bright green icon. The DOWNLOAD NOW button is the only thing standing between you and the answer to all of your photo organisation problems. You click it! Excellent! No more messy desktop. Except, wrapped in that express download button you’ve also downloaded three PUPs.

The secure link is a safer download option

There are multiple players involved in the distribution of Potentially Unwanted Programs (PUPs). As a result, you can face something that’s best described as Cascading PUPs. Rather than one PUP offer during your installation process, you can end up with a sequence, one after another.

One of the many ways this occurs is when a PUP bundles extra PUPs into its download. While downloading your desired program, you accept a PUP toolbar without paying attention. But, that one PUP comes with and installs even more PUPs without your knowledge.

We researched the effects of cascading PUPs in detail by downloading popular KPlayer and following the installation process. We sought to download one program. We completed the process with 6 PUPs! See: How Downloading One Program Can Give You Six Pups.

Watch out for fake software updates. These are often pushed through temporarily created websites that have been developed for Adsense. These sites are wrapped in downloaders that will prompt you to update your Flash Player or Java. There are companies that create hundreds of sites a day purely to mislead you and lead you to their site.

There are many many more ways you can be inundated by PUPS. In fact, there are so many ways, we bundled them all for you. See: Top Ten Ways PUPs Sneak Onto Your Computer

So who benefits from PUPs?

Software vendors: the software vendor (seller) gets money from the PUP developers (creators of adware) for each install. We provide examples in this article.

Download portal: the download portal gets money for the PUPs they install through their installer (wrapper/bright green Download Now button). The software vendor is generally not involved or benefiting.

PUPs: with a bit of camaraderie, some PUPs work together to install each others products, and pay each other in the process.

Here’s where it get’s scary.

A recent development in PUPware is in the use of rootkits; an infection that hides itself, its own data and other files so that they cannot be seen by you or your operating system. Intercepting and receiving messages from your computer it redirects information and reports back to the mothership what ever it wants. The use of rootkits in adware is blurring the lines between merely unwanted junk, and active malware.

This can be seen even more clearly in a new PUP known as ‘Faster Internet’ which, once installed, will create a fingerprint of your computer. This information is then uploaded to the developer’s server with screenshots of the active display on your computer and sends this along with your IP address to it’s server. Bordering on spyware, this piece of adware is a blatant violation of your privacy.

But wait! I saw a pop-up that was trying to help me! Enter the interactive PUP, scaring the daylights out of poor Mr and Mrs Smith by displaying online advertisements that try to scam us into thinking that our computers have a serious problem. This is done to trick you into calling the listed support number so they can scare you further into buying their services.

Fake alerts may ask you to call an anti-virus company

Sadly, there are ever more and more ways to be infected and while Adware installers continue to have little or no law regulating them, developers will remain out of control.

PUPs and the antivirus industry

Terrifyingly, after big vendors such as Oracle (Java) and Microsoft (Bing and Skype) started bundling, ethics in the software industry seem to be lost completely, as even antivirus vendors have joined the game, bundling PUPs with their software. We researched practices among the freeware antivirus vendors and the results were troubling. We found that 7 out of 8 tested free antivirus suites were bundled with PUPs. See: Has the antivirus industry gone mad?

Emsisoft is anti-PUP

During the last few years, the threat landscape has shifted significantly. When the Emsisoft team checked the latest infection statistics we found that 3/4 of all findings of Emsisoft Anti-Malware today were PUP related. The number has increased massively during the past years. See: What is Emsisoft really?

But where there is a problem, there is also a solution. We at Emsisoft maintain high ethical standards that define how we approach all threats; always with our users in mind. While many antivirus products fail to detect even the most common PUPs -and in fact install PUPs themselves directly with their own products- Emsisoft is widely recognised for removing them efficiently.

The number of PUP detections is increasing

 

PUPs make up 79% of infections

While we are part of the solution, it is important that you are able to recognise PUPs before you download them to avoid any problems in the first place.

 So, to summarise:

• PUPs want to make money off of you. The most common form is by hijacking your browser: they can then show you ads, monetize or sell your search and/or browser behavior or redirect your homepage.


•  PUPs use aggressive distribution methods to get on your computer:  because in the large majority of the cases, you will not be aware that you are installing a PUP.


• Most PUPs don’t have any significant value or advantages. PUP producers get around this by paying other software vendors or distributors such as download portals $$$ per new installation that they get them.


• PUPs are often brought to you by freeware vendors: they frequently get on your computer bundled with a freeware program. While you’re installing program A, you also install one or more PUPs, often without knowing you did. The freeware vendor gets money from the PUP producer to do this.

Phew. So, now that you know what they are and how to get them, how do you avoid PUPs?

• Be cautious, use common sense and take your time. Read carefully when installing anything. Don’t click accept until you are sure you are willing to install everything mentioned in the EULA (End User Licence Agreement.)


• Only use reputable download sources such as the official site of the product you are downloading.


• Avoid download portals and NEVER download or install applications that seem suspicious or malicious.


• Install, update, and run a reputable antivirus software, such as Emsisoft Anti-Malware that offers real-time protection against PUPs.


• Clean your computer periodically with the Free Emsisoft Emergency Kit.

Have a happy (PUP-free) day!

Your Emsisoft Team.

Related Posts:

• How downloading one program can give you six (!) PUPs


• Mind the PUP: Top download portals to avoid


• Has The Antivirus Industry Gone Mad?!


• Top 10 Ways PUPs Sneak Onto Your Computer. And How To Avoid…


• 62% of the Top 50 Download.com applications bundle toolbars…

Potentially Unwanted Programs (PUPs) – What you need to know.

Video: Emsisoft Anti-Malware vs. PUPs

If you google ‘PUP’ you will get the most amazing images of cute little dogs. So cute even lovers of cat videos won’t go without a smile on their face. No, really. Try for yourself! Pups make you smile. Sadly, that’s not what this is about. It’s about the nasty sort of PUPs we all come across quite regularly. At home. At work. Just everywhere. They do not make us smile at all. The PUPs we’re talking about are Potentially Unwanted Programs, in fact a very common problem for PC users.

The main characteristic of a PUP is that it installs on your computer even if you don’t want it, by using tricky techniques to bundle with good programs. It’s just there and you have no idea how it got there. This happens behind the scenes, without your knowledge. Truly a nasty PUP. The result is a slower system, annoying pup-ups – sorry… pop-ups and a good chance that someone is collecting all your data without you suspecting anything.

Lucky for you, the great minds at Emsisoft have not only researched this topic quite intensely in our latest blogpost, we also set up a video for you to review step by step how our Emsisoft Anti-Malware software can protect you from nasty PUPs. So you can now actually sit back and watch some awesome ideas how to get rid of nasty PUPs.

For the best viewing experience, a full screen icon (right bottom corner) is available after starting the video.

Related Posts:

• Emsisoft Emergency Kit against a badly infected system


• Video: Emsisoft Surf Protection vs malicious hosts and…


• Video Review: Emsisoft Internet Security 9 scores 100%


• How downloading one program can give you six (!) PUPs


• Emsisoft Update Cleans Up Database and Identifies Over 6000…

Video: Emsisoft Anti-Malware vs. PUPs

Video: Emisoft Anti-Malware vs. PUPs

If you google ‘PUP’ you will get the most amazing images of cute little dogs. So cute even lovers of cat videos won’t go without a smile on their face. No, really. Try for yourself! Pups make you smile. Sadly, that’s not what this is about. It’s about the nasty sort of PUPs we all come across quite regularly. At home. At work. Just everywhere. They do not make us smile at all. The PUPs we’re talking about are Potentially Unwanted Programs, in fact a very common problem for PC users.

The main characteristic of a PUP is that it installs on your computer even if you don’t want it, by using tricky techniques to bundle with good programs. It’s just there and you have no idea how it got there. This happens behind the scenes, without your knowledge. Truly a nasty PUP. The result is a slower system, annoying pup-ups – sorry… pop-ups and a good chance that someone is collecting all your data without you suspecting anything.

Lucky for you, the great minds at Emsisoft have not only researched this topic quite intensely in our latest blogpost, we also set up a video for you to review step by step how our Emsisoft Anti-Malware software can protect you from nasty PUPs. So you can now actually sit back and watch some awesome ideas how to get rid of nasty PUPs.

For the best viewing experience, a full screen icon (right bottom corner) is available after starting the video.

Related Posts:

• Emsisoft Emergency Kit against a badly infected system


• Video: Emsisoft Surf Protection vs malicious hosts and…


• Video Review: Emsisoft Internet Security 9 scores 100%


• How downloading one program can give you six (!) PUPs


• Emsisoft Update Cleans Up Database and Identifies Over 6000…

Video: Emisoft Anti-Malware vs. PUPs

RAA, a new Ransomware variant using only JavaScript

While JavaScript ransomware is not new (see for example this article about Ransom32), we recently encountered a new ransomware variant, known as RAA, that exclusively uses JavaScript in order to encrypt personal files using AES. Just to add a little extra, this ransomware also drops Pony malware (a well-known info-stealer).

New about this is that the ransomware is distributed without using the nw.js framework or being packed into an executable. In order to ensure proper AES encryption of the targeted files to be held ransom, it has included the CryptoJS Library.

The malware is typically spread using malicious email attachments pretending to be .doc files. To make this believable, the first thing it does when executed, is drop a file in the %userprofile%\documents folder and open that with WordPad, pretending it is corrupt.

Fake corrupt document

Translated from Russian, this means:
Error! Error code (0034832)

This document was created in a newer version of MS Word and cannot be opened by your version of WordPad

Refer to the file publisher or open the content using MS Word 2013

Some items cannot be displayed correctly.

To ensure the ransomware is loaded on each startup, a run value is created that points to the original dropper as can be seen in the image below.

Creation of the run value.

Furthermore, to make sure that files cannot be recovered using the File History option, the Volume Shadow Service (VSS) is deleted. As a result, when an attempt is made to restore older versions of an encrypted file, no previous versions will show up and the following error will be shown when an attempt is made to access System Restore

System Restore error message.

Deletion of the VSS service.

The next step is the actual encryption process, using the included CryptoJS library. Encrypted files will get .locked appended to the original file name.

Encryption Function

Files with the following extensions will be encrypted: .doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar .csv Files with names that contain .locked, ~ or $ will be skipped.

List of extensions to be included and excluded strings.

The following folder names are excluded in the encryption process: Program Files, Program Files (x86), Windows, Recycle.Bin, Recycler, AppData ,Temp, ProgramData and Microsoft

List of folders to be excluded.

To “assist” the victim, a ransom note in Russian called !!!README!!![unique ID].rtf is created on the desktop (where [unique ID] is the unique ID created during the infection process), requesting a ransom of 0.39 Bitcoins or 250 USD. Its content is as follows.

Russian ransom note.

Thus far we focused on the encryption part, however this malware also drops an executable known as Pony info-stealer in %userprofile%\documents\st.exe, which is included in the JS dropper as a base64 encoded string. Pony malware is capable of stealing sensitive information (for example passwords stored on your computer) and sending them to a remote attacker. After extracting the base64 encoded string and creating the st.exe file, this file is executed as well and the info-stealer is installed on the computer.

SHA1 hashes of the malware:
RAA: 2c0b5637701c83b7b2aeabdf3120a89db1dbaad7

Pony: 822bf6d0eb04df65c072b51100c5c852761e7c9e

Unfortunately decryption of files encrypted by RAA is currently not possible, which only proves that having a backup of important data really is a must! Emsisoft users are protected from this malware by our Behavior Blocking technology that will intercept and remove this malware before it can do any harm.

Behavior Blocker alert for RAA

Behavior Blocker alert for Pony

 

 

 

 

 

 

 

 

Related Posts:

• Decrypter for HydraCrypt and UmbreCrypt available


• Ransomware Cryptowall makes a comeback via malicious help…


• CryptoLocker – a new ransomware variant


• Copycat Ransomware “Locker” Emerges


• New Cryptolocker copycat PClock2 discovered that targets…

RAA, a new Ransomware variant using only JavaScript