It has been reported that variants of a new ransomware named as "Ranscam" are spreading. The ransomware is not capable of encrypting the files on the infected machine, rather itjust deletes the files on the infected machines. It pretends that the data on the victim machine are encrypted with some encryption key and are moved to some hidden encrypted partition. It then demands ransom amount of bitcoin for decryption key for those files that are actually not existing and deleted in the early stage of infection.
The malware performs the following functions:
1. Deletes files on the victims machine.
2. Connects to remote command and control server.
3. Malware does not contains any encryption/decryption routines.
4. Malware shows ransom message to the victim/infected machine, stating the procedure to be followed for making payment and decrypting files.
5. Forcefully rebooting the infected machine.
The malware is a .NET compiled executable signed with a digital certificate targeting windows environment. It does not contains any encryption/decryption routines. The malware makes use of the windows command processor to execute a batch file that deletes the content of some designated folders. The data targeted by the malware includes the user generated files, core windows files used for system restore, files and registry keys that can be used to boot the system in safe mode. On successful execution and deletion of the files by the ransomware, the message shown to the user is:
In the image shown above, a button is given which is intended to verify the payment made by the victim, but in actual no verification is performed. On clicking that button, an HTTP get request is made to download two PNG files, one show the verification process image and other shows payment verification failure image.
Ransomware is packed as a .NET compiled executable signed by digital certificate issued by reca[dot]net on 6th July,2016.
Upon execution of the .NET executable, various file system changes were made including the batch file in %temp% folder. This batch file makes use of Windows powershell to execute itself and make other file system changes.
The batch script is capable of performing the following actions:
- Deleting the core Windows executable responsible for System Restores
- Deleting shadow copies
- Deleting several registry key associated with booting into Safe Mode
- Setting registry keys to disable Task Manager
- Setting the Keyboard Scancode Map
- Uses Power shell to show the ransom note JPEG on the victim machine
Indicators of Compromise:
Some of the remote servers contacted by the malware are:
Upon infection, the malware make network connectionsto one of its command and control server to make a HTTP request to download the file encryption & locking warning image shown to the userand rebooting the infected machine.
- crypted[.]site88[.]net hosted on 188.8.131.52
- publicocolombiano[.]com hosted on 184.108.40.206
- www[.]waldorftrust[.]com hosted on 220.127.116.11
- cryptoglobalbank[.]com hosted on 18.104.22.168
File System changes:
%temp%/ ~A958.bat .bat
Email Ids used by the attacker are:
Bitcoin wallet used by the malware author:
MD5/SHA256 of ransomware:
- Perform scanning on computer for possible infection with the removal tools mentioned below.
- Apply software restriction policies depending upon the operating system installed. Details are given below:
Windows XP Path : %UserProfile%\Local Settings\*.exe
Windows Vista/7/8 Path : %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.
- This setting universally prevents exe's running from the said location.
- Conduct routine backups of important files, keeping the backups stored offline.
- Disconnect the infected system from wireless or wired networks to prevent the malware from further encrypting files stored over network shares
- Exercise caution while visiting links within emails received from untrusted users or unexpectedly received from trusted users.
- Do not download and open attachments in emails received from untrusted users or unexpectedly received from trusted users.
- Exercise caution while visiting links to web pages.
- Protect yourself against social engineering attacks.
- Do not visit untrusted websites.
- Enable firewall at desktop and gateway level and disable ports that are not required.
- Avoid downloading pirated software.
- Keep up-to-date patches and fixes on the operating system and application softwares.
- Keep up-to-date antivirus and antispyware signatures at desktop and gateway level.