Every once in a while you come across a really strange malware and such is the case with a new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a "tip" to decrypt the files.
First tweeted by MalwareHunterTeam, this ransomware has the bizarre title of "Barack Obama's Everlasting Blue Blackmail Virus" as shown by the file properties below.
When executed, this ransomware will terminate various processes associated with antivirus software such as Kaspersky, McAfee, and Rising Antivirus . The commands executed to kill the processes are:
taskkill /f /im kavsvc.exe
taskkill /f /im KVXP.kxp
taskkill /f /im Rav.exe
taskkill /f /im Ravmon.exe
taskkill /f /im Mcshield.exe
taskkill /f /im VsTskMgr.exe
It will then scan the computer for .exe files and encrypt them. When encrypting files, it will target all .EXE files, even those that are located under the Windows folder. Other ransomware in the past that encrypted executables typically avoid the Windows folder so that it does not cause problems with the proper execution of the operating system.
As part of the encryption process, this ransomware will also modify the Registry keys associated with .exe files so that they use a new icon and run the virus every time someone launches an executable. The modified keys are listed below.
HKLM\SOFTWARE\Classes\exe
HKLM\SOFTWARE\Classes\exe\
HKLM\SOFTWARE\Classes\exe\EditFlags 2
HKLM\SOFTWARE\Classes\exe\DefaultIcon
HKLM\SOFTWARE\Classes\exe\DefaultIcon\ C:\Users\User\codexgigas_.exe,0
HKLM\SOFTWARE\Classes\exe\Shell
HKLM\SOFTWARE\Classes\exe\Shell\Open
HKLM\SOFTWARE\Classes\exe\Shell\Open\Command
HKLM\SOFTWARE\Classes\exe\Shell\Open\Command\ "C:\Users\User\codexgigas_.exe" "%1"
The message in the ransomware interface states that users should contact the attacker at the 2200287831@qq.com for payment instructions.
Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.
So you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information.
It is unknown how this ransomware is distributed or if the developer will even provide a decryption key if paid.
Obama is not the only President to have had a ransomware created after him. Prior to the 2016 United Stated presidential election, the The Donald Trump Ransomware was released.
The Trump Ransomwae was a development version that had built-in decryption.
Red Report 2025: Analyzing the Top ATT&CK Techniques Used by 93% of Malware
Malware targeting password stores surged 3X as attackers executed stealthy Perfect Heist scenarios, infiltrating and exploiting critical systems.
Discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Comments
the_moss_666 - 6 years ago
Encrypting only .exe files is bizzare. It all looks amateurish, attacker doesn't even control your unique and valuable data. Programming might be good enough (it works), but blackmailing part is really bad.
cgoecknerwald - 6 years ago
I choose to believe that this is some sort of joke based on the fact that Obama was the head of the EXEcutive branch.