Let's meet the latest ransomware

Ransomware

I received an email last night saying my parcel couldn't be delivered by FedEx. In the first glance it looks ordinary, since Fastway, TNT and even AuPost started to send notice by email sometimes. BUT there is a zip attachment.

ransomeware email

You should be cautious about every email coming into your Inbox with attachments, so I unzipped it into a test folder, though my Operating System is Linux - much less vulnerable to virus/malware.

content of attachment

I've had customers called for help after they got infected by the ransomware and after some conversation the only advise I could give was either pay the ransom (around $500 USD) if the documents are so important, or just forget about it at the moment as there is no decryption tools available so far.

So I suspect this email could be having ransom viruses in the attachment. There were two files in the zip file. One of them is binary and another one is javascript and I could open it in a text editor.

ransomeware script

I could tell, this script needs to access Internet to do the job, though I'm not a programmer. As I was keen to confirm this ransomware, I created a sandbox - a Windows 7 Professional VirtualMachine with virtualbox (a great free Virtual Machine). Nothing happened after clicking the ransomware file, no weired task in Windows task manager. Then I enabled Network/Internet access. Now I could see a suspicious process named "a1.exe" appeared, then there was another "a1.exe".

ransomeware suspicious process

Only few minutes later, an image window popped up and also a browser plus the wallpaper changed, very noticeable that I was infected -- indeed by the ransomware.

Ransomeware Notice Image
Ransomware Notice Image
Ransomeware Notice In Browser
Ransomware Notice In Browser
Wallpaper has been changed by Ransomeware
Wallpaper has been changed by Ransomware

I actually was a bit worried about the Network Drive, in case my working folder was mapped into the Windows network drive. All my working files would be encrypted if this variant could do the damage to the network drive. Of course, I had double checked that the network drive only mapped to a limited folder in my host Linux, but who knows, people make mistake!!

To my surprise, the test image and file on the network drive were untouched, but the test image and file on the USB stick were encrypted, which means I would have to pay the ransom if those are valuable documents.

Ransomeware before encrypted
Ransomware before encrypted
Ransomeware after compromised
Ransomware after compromised

You can see the file names have been encrypted as well, and a html file was created and will point you to the web page about how to pay the ransom.

So far, there is absolutely no solution, so be careful about the attachment.