Every once in a while you come across a really strange malware and such is the case with a new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a "tip" to decrypt the files.

Barack Obama's Everlasting Blue Blackmail Virus Ransomware
Barack Obama's Everlasting Blue Blackmail Virus Ransomware

First tweeted by MalwareHunterTeam, this ransomware has the bizarre title of "Barack Obama's Everlasting Blue Blackmail Virus" as shown by the file properties below.

File Properties
File Properties

When executed, this ransomware will terminate various processes associated with antivirus software such as Kaspersky, McAfee, and Rising Antivirus . The commands executed to kill the processes are:

taskkill /f /im kavsvc.exe
taskkill /f /im KVXP.kxp
taskkill /f /im Rav.exe
taskkill /f /im Ravmon.exe
taskkill /f /im Mcshield.exe
taskkill /f /im VsTskMgr.exe

It will then scan the computer for .exe files and encrypt them. When encrypting files, it will target all .EXE files, even those that are located under the Windows folder. Other ransomware in the past that encrypted executables typically avoid the Windows folder so that it does not cause problems with the proper execution of the operating system.

Encrypted Executables
Encrypted Executables

As part of the encryption process, this ransomware will also modify the Registry keys associated with .exe files so that they use a new icon and run the virus every time someone launches an executable. The modified keys are listed below.

HKLM\SOFTWARE\Classes\exe
HKLM\SOFTWARE\Classes\exe\	
HKLM\SOFTWARE\Classes\exe\EditFlags	2
HKLM\SOFTWARE\Classes\exe\DefaultIcon
HKLM\SOFTWARE\Classes\exe\DefaultIcon\	C:\Users\User\codexgigas_.exe,0
HKLM\SOFTWARE\Classes\exe\Shell
HKLM\SOFTWARE\Classes\exe\Shell\Open
HKLM\SOFTWARE\Classes\exe\Shell\Open\Command
HKLM\SOFTWARE\Classes\exe\Shell\Open\Command\	"C:\Users\User\codexgigas_.exe" "%1"

The message in the ransomware interface states that users should contact the attacker at the 2200287831@qq.com for payment instructions.

Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.
So you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information.

It is unknown how this ransomware is distributed or if the developer will even provide a decryption key if paid. 

Obama is not the only President to have had a ransomware created after him. Prior to the 2016 United Stated presidential election, the The Donald Trump Ransomware was released.

The Trump Ransomwae was a development version that had built-in decryption.

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files