The author of a new ransomware strain named Executioner has bungled the tool's encryption routine, which means security researchers will be able to decrypt victims' files.

The good news is that this ransomware is not the subject of a massive distribution campaign, so the number of affected victims is low if any even exist.

The ransomware first came to our attention on June 5, when Bleeping Computer founder Lawrence Abrams found it uploaded on VirusTotal. The ransomware was under development — and may still be — as on June 7, two days later, security researcher MalwareHunter spotted a revamped version.

Executioner ransomware is based on EDA2 project

This particular ransomware strain is representative of the ransomware scene lately, being flashy on graphics but low on code quality.

The ransomware isn't even original, being based on EDA2, a ransomware building kit that was open-sourced and published on GitHub in late 2015.

We have no details on the distribution vectors as of yet, but once the user launches the ransomware's EXE file into execution, the ransomware will look to encrypt the following file types:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .p7c, .pk7, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt, .png, .jpg, .rtf, .mpg, .mp3, .png

Files that have been encrypted will have their names appended with a random six-character alphanumeric extension.

Source code for creating the Executioner random file extension

Files encrypted by Executioner ransomware

The encryption routine skips files located in the following folders:

Windows
Program Files
Program Files (x86)

Once the file encryption process ends, the ransomware will download the following image from the Imgim.com image hosting service and set it as the user's desktop wallpaper.

Desktop wallpaper used by Executioner ransomware

Additionally, the ransomware also drops the following ransom note on the user's desktop. The file is named Sifre_Coz_Talimat.html, which is Turkish for "Instructions for password" (approximate translation).

Executioner ransomware ransom note

The ransom note asks users to visit a Dark Web portal where they will receive more instructions. Here are snapshots of that site:

Executioner ransomware payment site

Executioner ransomware payment site

Executioner ransomware payment site

This Dark Web ransom payment portal is available in Turkish and English, supporting a claim that the author of this ransomware is of Turkish origin. Furthermore, this portal runs on a modified version of the EDA2 backend panel. The original, for comparison, is here.

Ransomware sends decryption key to author via email

When we said this ransomware strain was of low quality, we weren't joking. The ransomware doesn't use a C&C server but sends information about infected computers via email to an inbox under the attacker's control.

Executioner will collect data such as the computer name, username, IP address, and decryption key and send it as an email from "executioner.ransom@bk.ru" to "executioner.ransom@protonmail.com."

Ransomware is decryptable

Because the Executioner ransomware was based on the EDA2 ransomware kit, Bleeping Computer reached out to security researcher Michael Gillespie, an expert on EDA2-based ransomware families, and a man who created many decrypters for this class of ransomware threats.

According to Gillespie, the ransomware is decryptable. In fact, Gillespie says the modifications the Executioner author made to the original EDA2 code made the ransomware extremely easy to crack. We won't share the exact details, as not to allow the ransomware author to fix his code.

Because there are no known victims, Gillespie didn't create a decrypter just yet. Nonetheless, he said any victim can reach out to him personally via his Twitter profile or a topic in Bleeping Computer's forum section dedicated to helping ransomware victims.

Gillespie also added detection rules for the Executioner ransomware to the ID-Ransomware service, which he created in early 2016. The portal helps ransomware victims identify the ransomware strain that has infected their computers.

IOCs:

SHA256 hash:

506c274e4809c52d5c56f7228a4d84bbe7598d2f48eaf8ab8a3f62062f2129a2

Associated emails:

executioner.ransom@protonmail.com
executioner.ransom@bk.ru
executioner.update@protonmail.com

Network traffic:

http://checkip.dyndns.org - gets IP address of victim
http://www.imgim.com/kb2oa7.jpg - desktop wallpaper image

Ransom note name:

\Sifre_Coz_Talimat.html

Ransom note text:

Oops all of your files Are safely Encrypted!!! "
 
Please Visit any links that given below to read the instructions and learn how to Decrypt Your Files!!
 
https://execut2bp3arv6er.onion.rip/
https://executcoe6vxnsw7.onion.rip/
https://execu4d2wasjip5x.onion.rip/
------------------------------------------------------------------------------------------------
 
IF IT DOESN'T WORK TRY THIS!!
 
https://execut2bp3arv6er.onion.cab/
https://executcoe6vxnsw7.onion.cab/
https://execu4d2wasjip5x.onion.cab/
------------------------------------------------------------------------------------------------
 
IF IT DOESN'T WORK AGAIN THEN TRY THIS!!
 
1. Download 'Tor Browser' from https://www.torproject.org/ and install it.!
2. OPEN ANY LINK THAT GIVEN BELOW!!!
 
execut2bp3arv6er.onion
executcoe6vxnsw7.onion
execu4d2wasjip5x.onion
------------------------------------------------------------------------------------------------
 
YOUR COMPUTER ID
 
TEST
 
 
------------------------------------------------------------------------------------------------
Tum Dosyalariniz Guvenle Sifrelenmistir! "
 
Lutfen asagida verilen linklerden birini ziyaret ederek dosyalarinizi kurtarmak icin TALIMATLARI OKUYUNUZ!!!
 
https://execut2bp3arv6er.onion.rip/
https://executcoe6vxnsw7.onion.rip/
https://execu4d2wasjip5x.onion.rip/
------------------------------------------------------------------------------------------------
 
EGER CALISMAZ ISE ASAGIDA VERILEN LINKLERDEN BIRINE GIRINIZ!
 
https://execut2bp3arv6er.onion.cab/
https://executcoe6vxnsw7.onion.cab/
https://execu4d2wasjip5x.onion.cab/
------------------------------------------------------------------------------------------------
 
EGER YUKARIDAKI VERILEN METHOD OLMADIYSA ASAGIDAKI METHODU DENEYINIZ!!!
 
1. 'Tor Browser'u https://www.torproject.org/ sitesinden indirip kurunuz !
2. ASAGIDA BULUNAN LINKLERDEN BIRTANESINE GIRINIZ!!!!
 
execut2bp3arv6er.onion
executcoe6vxnsw7.onion
execu4d2wasjip5x.onion
------------------------------------------------------------------------------------------------
 
KIMLIK NUMARANIZ
 
TEST
 
 
------------------------------------------------------------------------------------------------
 
EXECUTIONER RANSOMWARE

desktop-wallpaper.jpg