Ranscam's cryptographer simply removes files, does not encrypt anything

Published on July 13, 2016

Ranscam's cryptographer simply removes files, does not encrypt anything



    Cryptographers are everywhere now. Programs that encrypt user files and then require a ransom for decrypting data bring a lot of money to their creators. Among this kind of software there are truly brilliant programs. In many cases, the developers of such malware keep the promise: if the user pays, he gets a key to decrypt the files. But this is not always the case - sometimes the key after the payment does not come.

    It also happens that there is not only a key, but also files. Ranscam is a malware that only pretends to be a cryptographer. The software pretends that the files are encrypted, although in fact everything that the user sees on the screen is a command line with a list of files to be deleted. As soon as the files are deleted, the program displays a pop-up window asking you to pay money to get the encryption key.



    In the information window that appears, the user sees a message stating that all files are transferred to a hidden partition of the disk and are encrypted; all important programs are blocked; the computer will not be able to work normally. It also indicates that when you make a payment in Bitcoins, everything will return to its place - the user will receive his files back.

    Just below the window is placed the field where you need to enter your data after making the payment. The malware allegedly must “verify” the payment details of the victim. It says that clicking on a button without making a payment is fraught with complete removal of all files. All that this software does is perform an HTTP GET request to receive PNG images that demonstrate the verification process to the user. In fact, the program does not check anything.

    In addition, the payment does not help - all files are deleted by the cryptographer when the PC is infected. The author of the malware is trying to deceive the victim, so that she paid the money. The software itself is quite simple - not very experienced attackers obviously worked on it.

    The virus penetrates the user's computer as an executable .NET file. The file is signed with a digital certificate issued by reca [.] Net. The date of issue of the certificate is July 6, 2016.



    When the victim opens the file, the software performs several actions. First, the program copies itself to% APPDATA% \, and also registers in autoload. In addition, it is unpacked in% TEMP% \.





    The program creates and executes an executable file that finds a number of folders on the victim’s system and pretends to “encrypt” these files. In fact, everything is permanently deleted.



    In this case, the malware fully justifies its name, since it performs a number of actions that kill the user's system:
    • Delete all Windows files that are responsible for backing up data (System Restore);
    • Removes shadow copies;
    • Removes a number of registry keys responsible for starting the system in Safe Mode.

    After all this, the system requests a JPEG file to show a message about the need to make payment for decrypting files.



    Once all this is done, the script shuts down the computer. All the steps described above will be performed each time the PC is turned on. And each time, the malware deletes all new and new files and shows a message about the need to pay.



    Here is a list of files that are downloaded when Ranscam is running from the attacker's server. He did not even bother obfustsirovat data.

    Information security specialists studying the malware were sent to the e-mail address specified in the message of the virus. "Victim" requested help from the creator of the virus, saying that she could not perform the transaction with Bitcoin correctly. Almost immediately after the request came the answer.



    There was another request to help: “I don’t understand anything about these things. I don't understand what it all means or how much it costs, but I want to get my computer back. I have a lot of photos of my family and I can not and see. Is there any place where I can send my data, or perhaps there is a phone number where you can let me help you? I don’t know what I did, but my daughter’s computer doesn’t show this nasty message, what should I do? Please help me to return my photos, they are important! ".

    A couple of hours after the request, the attacker sent a response, where he gave detailed instructions for payment. After that, the author of the virus did not continue to communicate. However, he provided the same Bitcoin wallet address that was listed in the information window displayed by the virus. This address is 1G6tQeWrwp6TU1qunLjdNmLTPQu7PnsMYd. Experts studying the problem, checked the transaction for this wallet, and saw that the total amount of funds transferred reaches $ 277.61. True, this money arrived in the wallet earlier, until June 20. After this date there is no transaction.

    So far this malware has not spread too much. Ranscam may be one of the first malware whose creators do not want to do extra work, but only want money. Why create a complex cryptographer, spend time and money on its creation, if you can disguise it as a regular virus that deletes files and requires money? The question is rhetorical.