Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

OphionLocker ransomware encrypts your files with Elliptical Curve Cryptography


  • Please log in to reply
4 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:55 PM

Posted 10 December 2014 - 02:32 PM

A new ransomware named OphionLocker has been released that encrypts your data using Elliptical Curve Cryptography and then ransoms it for approximately 1 bitcoin. First discovered by Trojan7Sec, this ransomware is currently being distributed via hacked websites utilizing exploit kits. If a user visits one of these sites with a computer that has outdated software, the exploit kit will exploit vulnerabilities and install the ransomware. According to Trojan7Sec, the ransom amount varies between countries where the victim is located, with United States being the most expensive at 1 bitcoin.
 

ransomware-alert.jpg
OphionLocker Alert


When you are infected with this malware it will generate a unique hardware id based on the serial number of the first hard drive, the motherboard's serial number, and other information. It will then contact the malware's TOR site and check if this particular hardware ID has been encrypted already. Using the open source Crypto++ library, OphionLocker will then proceed to encrypt your data with Elliptical Curve Cryptographyany. The data files it will encrypt have the following extensions:
 
3fr,accdb,arw,bay,cdr,cer,cr2,crt,crw,dbf,dcr,der,dng,doc,docm,docx,dwg,dxf,dxg,eps,erf,indd,jpe,jpg,kdc,mdb,mdf,mef,mp3,mp4,mrw,nef,nrw,odb,odm,odp,ods,odt,orf,p12,p7b,p7c,pdd,pef,pem,pfx,ppt,pptm,pptx,psd,pst,ptx,r3d,raf,raw,rtf,rwl,srf,srw,txt,wb2,wpd,wps,xlk,xls,xlsb,xlsm,xlsx
When searching for the data files to encrypt it will perform a case-sensitive match of the extension. That means a file called test.JPG would not be encrypted, while a file called test.jpg would be. When it is done it will display the above alert and also generate numerous encrypted.txt files on your desktop and in your My Documents folder. These encrypted.txt files will contain instructions on how to access the TOR payment site to pay your ransom and receive the decryptor.
 

ransom-note.jpg
Ransom Note


The text of the ransomware note is:
 

Your important files you have on this computer have been encrypted : photos, videos, document , etc.
In order to recover these files you have to go to : smu743glzfrxsqcl.tor2web.org/ and buy the key to decrypt all your files.
From now on you have 72 hours to pay or the key will be permanently deleted from our server and you won't EVER get your files back. Please go to : smu743glzfrxsqcl.tor2web.org/ to see the procedure.
You can find this text on your desktop and document folders

your hwid is :xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx


When you go to the ransomware site, it will prompt you to enter your hardware id. Once entered it will display the amount of ransom you are required to pay and provide a bitcoin address that you should send the payment to.
 

payment-site.jpg
Payment Site


Thankfully, this ransomware does not securely delete your files or remove the shadow volume copies. Therefore it is possible to recover your files using a file recovery tool or a program like Shadow Explorer. For more information on how to do this, please see this section in the CryptoLocker guide.


BC AdBot (Login to Remove)

 


m

#2 Kirbyofdeath

Kirbyofdeath

  • Members
  • 459 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere on Earth
  • Local time:08:55 PM

Posted 11 December 2014 - 12:13 AM

At least it is only one bitcoin. Should've invested in them when they first came out...



#3 rp88

rp88

  • Members
  • 2,761 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:55 AM

Posted 11 December 2014 - 04:23 PM

Which particular vulnerability is this attack using to perfrom it's drive-bys?


Something in internet explorer, in flash, in the operating system as a whole, in javascript, in adobe reader, in a media player, in a java plugin. Is Noscript(the firefox extension) an adequate protective measure?

Edited by rp88, 11 December 2014 - 04:23 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#4 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,268 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:55 PM

Posted 11 December 2014 - 04:27 PM

Yes, NoScript should help block most exploit kits. As for which vulnerabilities are being exploited, I am unsure at this time.

#5 rp88

rp88

  • Members
  • 2,761 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:55 AM

Posted 11 December 2014 - 06:14 PM

Yes, NoScript should help block most exploit kits.


Phew, thanks. I am glad i run that tool these days. It seems the internet is getting more dangerous by the hour.

Edited by rp88, 11 December 2014 - 06:15 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users