Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Threat Finder Ransomware: Had a a slow start, but now picking up speed!


  • Please log in to reply
22 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:26 PM

Posted 17 April 2015 - 03:49 PM

Threat Finder v2.4 is a ransomware that has been circulating since the end of January that encrypts your data files and then demands 1.25 bitcoins, or approximately $300 USD, to get your data back. Threat Finder has not received much media attention, but has shown an increased distribution over the past month, so I would not be surprised if this changes. One of the methods being used to target more victims is the use of the Angler Exploit Kit as reported by Brad Duncan of RackSpace. Thankfully, Threat Finder makes some mistakes that allows users to potentially recover their files.




threat-finder.jpg



BleepingComputer recently obtained a sample of Threat Finder and performed an analysis of the ransomware. The ransomware itself is distributed as a Windows DLL (Dynamic Link Library) file that is started by the Windows Regsvr32.exe program. Once infected, a startup entry will be created in the Windows Registry called WINUP.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "WINUP" =  regsvr32 "C:\Users\<account name>\AppData\Local\Temp\reg.dll
Once the reg.dll is loaded, it will connect to its Command & Control server at 65.49.8.104 and download the t0.da0, t0.da1, t0.daa files to the %Temp% folder. The t0.da0 is an image file containing the main interface screen for the ransomware, the t0.da1 file is the Check Payment button image, and it is currently unknown what the t0.daa file is for.
 
 

downloaded-files.jpg



Threat Finder will then begin to scan your computer for certain file extensions and encrypt them. The file extensions that Threat Finder currently looks for are:
*.txt, *.html, *.htm, *.css, *.wmv, *.wallt, *.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c
When Threat Finder encrypts a file it will not change its name. Therefore the only indication that you will have that your file is encrypted is that your program will not be able to display it properly.
Finally, when the encryption has been completed, you default web browser will open and display the %UserProfile%\Desktop\HELP_DECRYPT.HTML file and Threat Finder v2.4 screen shown above. This html file will display a warning about how your data was encrypted and that you must pay a ransom in order to get your files back.
 
 

help_decrypt.html.jpg



The main interface will provide instructions on how to make a payment, a bitcoin address to send it to, and a special BOT ID that you are supposed to include with your payment. The provided bitcoin address, 1NadLTgZHFGJmqUuQ58dGsB7ADCbe5N6z1, is the same for everyone and blockchain shows that there have been approximately 10 ransom payments made to it. The main interface also contains a Check Payment button that displays a message when you click on it. In our testing, clicking on this button does not perform any network requests, so we are unsure if this button really does anything.

At this time we are still waiting for confirmation as to whether the files are actually being encrypted and with what algorithm. The good news, though, is that this infection does not delete your Shadow Volume Copies so it is possible to restore your files using the Windows Previous Versions feature or a tool like Shadow Explorer. For detailed instructions on how to restore your data files from Shadow Volume Copies, please see this section of the CryptoWall guide:
 

How to restore files encrypted by CryptoWall using Shadow Volume Copies



BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:26 PM

Posted 17 April 2015 - 04:37 PM

Will there be a FAQ created for Threat Finder, or it's not that much of a "threat" compared to other Cryptoware and doesn't require one for now?

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:26 PM

Posted 17 April 2015 - 04:43 PM

Depends on whether the threat level increases.

#4 josiew

josiew

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:26 PM

Posted 17 April 2015 - 11:18 PM

Who are they targeting?

#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:26 PM

Posted 18 April 2015 - 09:45 AM

They are targeting everyone.

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:26 PM

Posted 18 April 2015 - 09:46 AM

I guess this part is obviously false?

Fh8HAQ6.png

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:26 PM

Posted 18 April 2015 - 10:26 AM

Yes it is.

#8 Robert House

Robert House

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 18 April 2015 - 07:13 PM

I feel sorry for those hapless  people that felt there was no alternative but to pay.  It seems to me a simple backup not connected to the computer would be helpful in these cases.



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 PM

Posted 18 April 2015 - 09:36 PM

Backing up your data and disk imaging are among the most important maintenance tasks users should perform on a regular basis, yet it's one of the most neglected areas.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Angoid

Angoid

  • Security Colleague
  • 299 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Midlands UK
  • Local time:09:26 PM

Posted 20 April 2015 - 02:52 AM

...yet it's one of the most neglected areas.

Problem is, there are plenty of people who simply don't do it.  They don't know they should be backing everything up regularly, and are unaware of BC and other sites that promote good computer maintenance and care, so as they see it there is no option if their AV can't deal with it (which is won't).

 

Until something bad happens, they are not aware that you need to back all your data up on a regular basis.

 

Unfortunately, many small business also take that approach.


Helping a loved one through a mental health issue?  Remember ALGEE...

Assess the risk | Listen nonjudgementally | Give reassurance and info | Encourage professional help | Encourage self-help and support network

#11 Kirbyofdeath

Kirbyofdeath

  • Members
  • 459 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere on Earth
  • Local time:02:26 PM

Posted 20 April 2015 - 10:32 AM

I'd back up my computer, but I simply don't have the money for a 2TB HDD.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:26 PM

Posted 20 April 2015 - 01:52 PM

I'd back up my computer, but I simply don't have the money for a 2TB HDD.

You can always use a cloud service that provides strong encryption, includes versioning and does not utilize a drive letter.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,616 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:26 PM

Posted 20 April 2015 - 02:59 PM

Mega.co.nz for example allows you to use 50GB of storage for free, which is a lot. And if you combine multiple providers (OneDrive, Google Drive, Dropbox, etc.) you can get even more space.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 lquarles

lquarles

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:26 PM

Posted 21 April 2015 - 02:38 PM

I have possibly a dumb question.  It is recommended that off-line backup be used as a defense against encryption ransomware.  Would a disabled (from device manager) qualify as off-line our should I take the term literally  and physically detach the drive?



#15 Fremont PC

Fremont PC

  • Members
  • 115 posts
  • OFFLINE
  •  
  • Local time:01:26 PM

Posted 25 April 2015 - 07:14 PM

Mounting a drive is done via software, so those commands could be included in some future ransomware revision. The best way is to remove the drive using the Safely Remove Hardware icon in the notification area (if the drive is listed there), then physically unplugging the drive. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users