Pay up or else: Ransomware Targeting Nepal

Ransomware is on a sharp rise worldwide because of its easiness and faster way to earn money. Cyber criminals are targeting financial organizations and every other sector with different types of Ransomware. Nepal also in a short period of time has become one of the most targeted cyberspace for cyber criminals. Rigo technology recently found two malicious ransomware(Cryptowall 4.0 and Teslacrypt 3.0.) targeting organizations and individuals asking for ransom

What is cryptowall 4.0?

CryptoWall 4.0 includes advanced malware dropper mechanisms to avoid antivirus detection, but this new version possesses vastly improved communication capabilities. It includes a modified protocol that enables it to avoid being detected, even by 2nd generation enterprise firewall solutions. This lowered detection rates significantly compared to the already successful CryptoWall 3.0 attacks.

CryptoWall 4.0 after infecting its victims drops files listed below which contains information from malware creator


Here is an example of such  text files:
C: \ Documents and Settings \ User \ Desktop \ HELP_YOUR_FILES.TXT

As you can see, the message uses an on obviously condescending tone. It also includes an FAQ with answers directed to the victim.

cryptowall 4 (2)

CryptoWall 4.0 now encrypts not only the data in your files but the file names as well. This social engineering technique confuses the victims even more. It also enhances the pressure of wanting to retrieve their data as fast as possible. Consequently, this increases the “success” ratio of how many victims see the message versus how many pay the ransom. A clear business enhancement by cyber criminals.

What’s important to observe here is that Cryptoware creators act like they run software companies:

  • They continue to enhance their code so it becomes more effective in terms of finding vulnerabilities to exploit
  • They address current IT security market trends by making their ransomware as undetectable as possible
  • They use all triggers at their disposal (social and emotional) to increase their return on investment.

What is teslacrypt 3.0?

A new version of the TeslaCrypt Ransomware was discovered by BloodDolly, the creator of TeslaDecoder, that was built on January 12, 2016.  This release calls itself version 3.0 and uses a different encryption key exchange algorithm. Furthermore, all encrypted files will now have the new .XXX, .TTT, .MICRO extensions appended to them.

The major and most problematic change is the modules of key exchange has been modified. In the past, there was a way to recover the private key from an encrypted file.  Now with this modification, this is no longer possible for new victims.

TeslaCrypt 3.0 Ransom Note
TeslaCrypt 3.0 Ransom Note. Click to Enlarge

Related Files:


Related Registry Keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\meryHmas    C:\Users\[username]\AppData\Roaming\[random].exe

At the moment, there seems to be no way to decrypt our encrypted file, but you can follow steps mentioned below in the video

It is not 100% guaranteed that ransomware will be fully removed from the machine using steps mentioned above. So, it is better to prevent our machines from getting infected.

Some basic tips to prevent from ransomware:

  1. Backup Your Data
    All your data should have a regular backup in the different medium like cloud storage, USB drive or External drive so that even in a worst case scenario you can still have access to your data.
  2. Think Before You Click.
    Almost every Ransomware spread through the Internet through file-sharing websites, attachments from an email, files, and links to file downloading websites shared in social networking websites. So, whenever you saw an attachments or any links always think before you click, and make sure the link and file you are downloading are from a trusted source.
  3. Hardening Your Anti-Spam Filters.
    Many spams emails contain eye-catching messages and are attached with Ransomware which when clicked by users gets your machines infected. Make sure your Anti-Spam filters are enabled and you are disallowing file extensions like .exe, .vbs, or .scr in mail server to block all suspicious  attachments.
  4. Don’t Open Suspicious Attachments.
    Always suspect a file that is attached to your emails or shared in social networking websites. Don’t open any files that you suspect, and in case you need to open those files make sure you open it in an isolated virtual environment.
  5. Use show file Extension Settings.
    This is a settings feature in Windows that permits you to effectively tell what sorts of documents are being opened. An attacker can hide malicious code in different file format like in images e.g., movie.avi.exe or account.xlsx.scr to execute their hidden command, enabling this setting would allow you to see what file extension files you are opening.
  6. Always update.
    Make sure your system is always updated, updates usually contains critical patches to several security vulnerabilities.
  7. Turn Your Firewall On.
    Every system has its own firewall make sure your Firewall is enabled and properly configured.
  8. Scan all Compressed and Archived File.
    Many malicious code and file are inside a compressed file, use anti-virus and scanners to scan that compressed file before opening.
  9. Disabling Windows Script Host.
  10. Disable windows Powershell.
    Windows PowerShell is a framework for task automation, it must only be enabled when necessary.
  11. Enhance Security of Microsoft office component.
    Blocking external content is a dependable technique to keep malicious code from being executed on the PC.
  12. Block Popups(ad-blocker).
    Pop-ups are the entry point for trojans and malware, adding add-on or extensions for blocking popups can reduce entry point for trojans and malware.
  13. Deactivate Autoplay.
    Disabling autoplay will block harmful process to run from external media devices like USB and external hard drive.
  14. Define Software Restriction Policy.
    Software restriction policy should be defined by the user to stop executing automatically files in their system or process places like ProgramData, AppData, Temp and Windows\SysWow.
  15. Block known-malicious Tor IP addresses.
    Tor network(gateway) is used to communicate with command and control server, blocking tor network connection is a good way to prevent malware from communicating to control server.

If you are the victim of Ransomware and  need incident response service, then please do contact us 

471-Anamnagar, Kathmandu, Nepal


 info @ rigotechnology.com

Manish Dangol

Leave a Reply

Your email address will not be published. Required fields are marked *