Ransomware, RaaS Portal Found

Monday, February 27, 2017 @ 05:02 PM gHale


A Ransomware-as-a-Service (RaaS) portal is sending out a new ransomware family called Unlock26.

Dot-Ransomware is the RaaS portal that went live February 19.

RELATED STORIES
MySQL Databases Focus of Ransomware Attacks
Android Ransomware Uses Voice Recognition
New Messy Mac Ransomware
Updated Ransomware Includes RaaS

Security researchers said the Unlock26 ransomware released the same day. They said the ransomware operation features a minimal and direct style, with few instructions and simple ransom notes and payment portal.

Attackers registering for the service get to download two files, one being a benign ransomware payload dubbed core.exe, while the other being an archive containing the builder and usage instructions called builder.zip.

The builder is a minimal command-line interface through which affiliates can customize the ransom amount (can even set special decryption prices per country), the targeted file types, the type of encryption (full or first 4MB of each file), and the Bitcoin address where the payment should end up sent, said researchers at BleepingComputer.

The builder is a minimal CLI tool that allows users to customize the following options:
— Ransomware decryption price
— Special decryption prices per country
— Extensions targeted for encryption
— The type of encryption (full or first 4MB of each file)
— The Bitcoin address where to send the bad guy’s 50 percent cut

To apply the custom settings to the ransomware, affiliates only need to load the core.exe file in the builder, which will also generate a fully weaponized binary, ready for distribution. From this point, it’s up to each attacker to distribute the malicious file using whatever means necessary.

Unlock26, the newly-generated ransomware, appends a .locked-[XXX] extension to the encrypted files, where XXX appear to be three random alpha-numeric characters unique for each victim. Once the encryption process ends up completed, the malware displays a ransom note that instructs victims to access one of four Tor-to-Web proxy URLs.

A signature hidden in the links displayed by the ransom note allows cybercriminals to distinguish between infected hosts, researchers said.

This also means victims have to click on the links, and typing the visible URLs manually in a browser won’t offer access to the payment portal, because the site checks for the presence of those signatures.

The signatures end up included so each user would point to a unique Bitcoin address when accessing the portal. The payment site, however, doesn’t provide clear instructions on what victims should do.



Leave a Reply

You must be logged in to post a comment.