The one thing about cybercriminal is that they are persistent and always finds a new a way to attack. And they tend to improve themselves staying ahead of cyber defenders.
Recently we have received one malware sample and the infected PC too. So we take a look at the malware sample. At first, we thought this is just another variant of ransomware but after doing some analysis, we found that this malware does not encrypt any files but still ask for ransom. Below are the pictures of the ransom note.
Most of the previous ransomware note includes encryption methods, the deadline to decrypt the file, bitcoin address for payment etc. But this ransom note is different and has the title “Notice of Imposition of File”. This ransom looks like the notice sent from the federal office and has the following notice.
- Materials that Violates the Intellectual Property Right
- Suspicious Activity
After reading the note, we can come to the conclusion that this note has the threatening message to the victim to pay the fine to settle the pre-trial within 24 hours with the following note.
“You must pay penalty within 24 hours to settle the case out of court. Incase of failure to comply claims”
ALL COLLECTED DATA WILL BE MADE PUBLIC AND THE CASE GOES TO THE TRIAL.
And this note also provides all the details of the victim which includes
- Location Area
- Skype Account Details
- Facebook Account Details
- Linkedin Account Details
- IP Address
- CPU Details
- System Details
- PC Name
And with note contain the victim images from facebook, LinkedIn, and picture taken from webcams.
And when victims click the payment options, then it will take to the payment page where victims are requested to fill up their basic details and the credit card details.
In short, when this malware is infected in the PC, it will collect all the data of the victim, even capture the picture from the webcam and creates a ransom note which I described above and threatens the victim to pay ransom or they will leak their private data in public.
More About This Malware
This malware is distributed via Nuclear Exploit Kit and the users become a victim when they visit compromised WordPress website which redirects to Nuclear Exploit Kit Server. To spread this malware, we have identified one IP 184.108.40.206 that have been used by cybercriminals.
After being deployed malware disappears and runs it by dropped copy from the hidden folder created in C:\\Users\Username\AppData\Local\Temp\Low
It also creates a link to the dropped malware in \AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup
And it also drops other files
And then this malware starts to talk with Command and Control(C&C) server. We have identified two C&C server
When the victim PC starts to communicate with C&C, then malware starts to collect data from the victim PC which can be used for the ransom note. After the data is collected to create a ransom note, then the malware becomes active to lock the screen with the ransom note. The following picture shows the malware process running in the background.
And when a victim sends the requested ransom to cyber criminals, then the request is sent to the crooks server via a secure communication (TLS). The server IP is 220.127.116.11 which is behind the TOR.
Find the Malware Analysis details here
This malware has evolved to another level and has become the next-generation ransomware.
How to Protect yourself from malware?
- Install Anti-Virus/Malware Software.
- Keep Your Anti-Virus Software Up to Date.
- Run Regularly Scheduled Scans with Your Anti-Virus Software.
- Use updated version Operating System.
- Back up your file.
- Think Before you click.
- Use Strong Password with two-step verification.
- Cover up your webcam.
Rigo Provide Managed Security Service and Continuous Security Monitoring.