New Ransomware Shows Expertise
Wednesday, April 6, 2016 @ 10:04 AM gHale
There is new ransomware that is not the most difficult attack, but it does offer other difficult measures for victims to hurdle.
The ransomware ended up called Rokku because once victimized by the software, it will encrypt all files and append the “.rokku” extension on each file, said researchers at Avira, who called the ransomware TR/Genasom.
Infection occurs with spam email that comes attached with all sorts of malware files.
These email attachments, if downloaded and executed, will start the Rokku ransomware’s encryption process, which uses a hard-to-break RSA-512 crypto algorithm.
Taking into account the ransomware asks for 0.242 Bitcoin ($100) and that researchers have managed to crack RSA-512 keys on Amazon EC in seven hours for $107 in computational power, it may be more cost effective to not to pay the ransom at all.
While the weak crypto may be weak, the rest of the ransomware seems to be the work of a ransomware expert that has experience in dealing with these types of infections and their victims.
First and foremost, Rokku makes sure to delete shadow volume copies from the hard drive, so backup software won’t be able to recover non-encrypted files. If there are offline backups, then the victim can restore them, but with no shadow volume copies, recovering them from the same hard drive is technically impossible.
At the end of the encryption process, the ransomware drops its ransom notes, which are a text and an HTML file.
Rokku author’s attention to details can be seen in the HTML ransom note, which offers a Google Translate widget so it can translate the ransom note into the victim’s own language.