A new ransomware has been discovered recently, which comes in an executable called "booyah.exe". The executable seems to install like a program (using Nullsoft Scriptable Install System), and contains a packed DLL which does the actual encryption.
Victims will receive a ransom note by the name of "WHATHAPPENDTOYOURFILES.TXT", with the following contents.
Your ID: 758275 * * * Hi. Your files are now encrypted. I have the key to decrypt them back. I will give you a decrypter if you pay me. If you pay me today, the price is only 1 bitcoin. If you pay me tomorrow, you will have to pay 2 bitcoins. If you pay me one week later the price will be 7 bitcoins and so on. So, hurry up.
From our analysis with the sample of the malware, it appears all victims receive the same ID as above, as it is hard-coded in the malware.
Every folder that has been encrypted will contain a "CRIPTOSO.KEY" file. The contents of this file is not understood quite yet. No extension is added to encrypted files.
A list of encrypted files will be located in a plaintext file at "%APPDATA%\%ID%", which for each victim would be "%APPDATA%\758275".
Further analysis is still pending, but we have an idea how many victims may have been affected. If anyone has been affected by this ransomware, please post in this topic with any details you can about your experience, and a sample of before/after files if you can. Also, the vector of attack would be good to know (email attachment, torrent, download, etc.).
ID Ransomware does identify this ransomware by the ransom note and CRIPTOSO.KEY file mentioned above.
Edited by Demonslay335, 28 March 2016 - 12:45 PM.