Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Ransomware as a Service (RaaS) site powers affiliate ransomware scheme


  • Please log in to reply
10 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,274 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:16 PM

Posted 28 July 2015 - 10:13 AM

A new ransomware has been discovered called RaaS, or Ransomware as a Service, that allows "affiliates" to generate a ransomware and distribute as they wish. The ransomware affiliate system is hosted on the TOR network and allows a visitor to create the ransomware executable by simply entering in a bitcoin address they wish to receive payments to and the amount of money they wish to charge for the ransom. The RaaS developer will then do the rest of the work by collecting and validating payments, issuing decrypters, and then sending ransom payments to the affiliate. For thise service, the RaaS developer keeps 20% of the collected ransoms.

encryptor-service.jpg


This system is similar to another affiliate ransomware we have seen in the past called Tox except this service has a unsophisticated setup and a non-existant affiliate console. In fact an affiliate has to rely on their own distribution method to determine how many of their ransomware infections have been installed and to trust the RaaS dev to deliver payments.

An interesting string found within the executable also indicates that portions or the entire ransomware may be written in Java. When examining the executables, there was a reference to the libgcj-16.dll, which is part of the The GNU Compiler for the Java Programming Language, otherwise known as GCJ. GCJ allows Java programs to be compiled into native Windows executables. If this ransomware was indeed programmed in Java, this would be the first one we have seen created in this way.

As the distribution of the ransomware executable is left up to the affiliate, there is no specific file location or method of infection for this ransomware. When the ransomware is installed, it will encrypt files based on their extension and uses a custom encryption method that is currently unknown. Encrypted files will retain their original extensions. The files extensions that are targeted are:

abw,accdb,ai,aif,arc,as,asc,asf,ashdisc,asm,asp,aspx,asx,aup,avi,bbb,bdb,bibtex,bkf,bmp,bpn,btd,bz2,c,cdi,cer,cert,cfm,cgi,cpio,cpp,crt,csr,cue,c++,dds,dem,dmg,doc,docm,docx,dsb,dwg,dxf,eddx,edoc,eml,emlx,eps,epub,fdf,ffu,flv,gam,gcode,gho,gif,gpx,gz,h,hbk,hdd,hds,hpp,h++,ics,idml,iff,img,indd,ipd,iso,isz,iwa,j2k,jp2,jpf,jpeg,jpg,jpm,jpx,jsp,jspa,jspx,jst,key,keynote,kml,kmz,lic,lwp,lzma,m3u,m4a,m4v,max,mbox,md2,mdb,mdbackup,mddata,mdf,mdinfo,mds,mid,mov,mp3,mp4,mpa,mpb,mpeg,mpg,mpj,mpp,msg,mso,nba,nbf,nbi,nbu,nbz,nco,nes,note,nrg,nri,ods,odt,ogg,ova,ovf,oxps,p2i,p65,p7,pages,pct,pdf,pem,phtm,phtml,php,php3,php4,php5,phps,phpx,phpxx,pl,plist,pmd,pmx,png,ppdf,pps,ppsm,ppsx,ppt,pptm,pptx,ps,psd,pspimage,pst,pub,pvm,qcn,qcow,qcow2,qt,ra,rar,raw,rm,rtf,s,sbf,set,skb,slf,sme,smm,spb,sql,srt,ssc,ssi,stg,stl,svg,swf,sxw,syncdb,tar,tc,tex,tga,thm,tif,tiff,toast,torrent,tpl,ts,txt,vbk,vcard,vcd,vcf,vdi,vfs4,vhd,vhdx,vmdk,vob,wbverify,wav,webm,wmb,wpb,wps,xdw,xlr,xls,xlsx,xz,yuv,zip,zipx
Finally, when the ransomware has finished encrypting your files it will create a ransom note on the Windows Desktop called encryptor_raas_readme_liesmich.txt. This note will contain information about what happened to your files and a link to the payment site. These instructions will be in both English and German.

An example of the encryptor_raas_readme_liesmich.txt can be found below.

ATTENTION!
The files on your computer have been securely encrypted by Encryptor RaaS.
To get access to your files again, follow the instructions at:
https://decryptoraveidf7.onion.to/vict?cust=<cust_id>&guid=<affiliate_id>


ACHTUNG!
Die Dateien auf Ihrem Computer wurden von Encryptor RaaS sicher verschluesselt.
Um den Zugriff auf Ihre Dateien wiederzuerlangen, folgen Sie der Anleitung auf:
https://decryptoraveidf7.onion.to/vict?cust=<cust_id>&guid=<affiliate_id>
Finally, the ransomware will open the TOR payment site titled Encryptor RaaS Decryptor that provides information on how many bitcoins you must send and the bitcoin address you need to send it to. An example page can be seen below:

payment-page.jpg


The ransomware itself does not delete Shadow Volume Copies or perform secure deletions of encrypted files. Therefore, unless the affiliate incorporates these types of protection into their distribution method, it is possible to restore your files using a program like Shadow Explorer or file recovery software.

A big thanks to Nathan Scott and Cody Johnston for assisting in the analysis of this ransomware. I would also like to thank pete255 for posting about it on Reddit.


BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:16 PM

Posted 28 July 2015 - 10:37 AM

there was a reference to the libgcj-16.dll, which is part of the The GNU Compiler for the Java Programming Language, otherwise known as GCJ. GCJ allows Java programs to be compiled into native Windows executables.


Which means that the executable contains a built-in JRE, so even if Java isn't installed on the system, it'll run anyway?

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 PresComm

PresComm

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 PM

Posted 28 July 2015 - 10:43 AM

As usual, thanks for the heads up. I've got position to see this in action across a wide swath of client machines, so if I am able to catch it, I will try to gather as much information as possible. I'll gladly help in any simple way I can.

Thanks again for the news flash.

Edited by PresComm, 28 July 2015 - 11:23 AM.


#4 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,274 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:16 PM

Posted 28 July 2015 - 10:56 AM

Which means that the executable contains a built-in JRE, so even if Java isn't installed on the system, it'll run anyway?


GCJ is new to me, but from what I read it actually compiles Java directly into native machine code.
 

It can compile Java source code to Java bytecode (class files) or directly to native machine code, and Java bytecode to native machine code.


The upside to this is Java compiled as native machine code runs faster. The downside is it no longer cross platform.

#5 billyg52

billyg52

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 28 July 2015 - 03:28 PM

I have got this ransom ware on my machine right now. It's a pain in the ****** anyone got advice on how to get rid of it ?

I'm not very techie but can follow simple instructions LoL! as stated in other posts it is random but all my photo's are locked and several programs using adobe air are affected. I tried ADWcleaner and Combofix, running both in safe mode with networking but no luck it's still there.

 

Bill



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:16 PM

Posted 28 July 2015 - 04:03 PM

Hi billyg52 :)

Since it's a new infection, you can get help to remove it in the malware removal area (so the trained helpers will know what to do and if needed, I guess someone like Grinler can advice them since he probably investigated the infection already). In order to do that, you have to post a thread in the Virus, Trojan, Spyware, and Malware Removal Logs section. You have to follow the instructions in the preparation guide prior to posting your thread, since it contains the steps to follow when posting it.

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 billyg52

billyg52

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 28 July 2015 - 04:36 PM

Thanks for the advice Aura, I will go through that process and hopefully get a result



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 18,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:03:16 PM

Posted 28 July 2015 - 04:38 PM

No problem billy, you're welcome :)

unite_blue.png
Technical Support, Tier 2 | Sysnative Windows Update Senior Analyst | Malware Hunter | R&D at Certly | @AuraTheWhiteHat
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:16 PM

Posted 28 July 2015 - 08:53 PM

billyg52, if possible you may want to hold off on cleaning for a couple days until our crypto malware experts have more time to investigate and determine if it is safe to remove everything related to the infection.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 billyg52

billyg52

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 29 July 2015 - 12:57 AM

That seems like a sensible idea, given my lack of skills LoL!

if it helps The version on my machine says my personal page is

 

613cb6owitcouepv.payoptvars.com/1kbo413,      TOR page is 613cb6owitcouepv.onion/1kbo413,      Code is 1kbo413

 

Thank you for the guidance it is greatly appreciated.



#11 PresComm

PresComm

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:16 PM

Posted 30 July 2015 - 07:14 AM

EDIT: Disregard my previous post. I decided to not be stupid and just followed Interweb links until I found a sample.

Edited by PresComm, 30 July 2015 - 07:16 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users