PSCrypt

Last week, long before the Petya / NotPetya ransomware broke out, there was another ransomware campaign that targeted Ukrainian users with a vengeance.

That ransomware's name was PSCrypt and is the third ransomware strain that has aggressively targeted Ukrainian users during the past month, after XData and NotPetya.

All three are different breeds and have very few things in common, except for their obsession for targeting Ukrainian users. For example, around 80% of XData's victims were from the Ukraine, while yesterday, 60% of NotPetya's victims were also from the country.

Around 78% of PSCrypt victims are from Ukraine

What we currently know about PSCrypt is limited. The malware first came on our radar last week, when security researcher MalwareHunter alerted the cyber-security industry about a new ransomware family that was aggressively targeting Ukraine.

Later in the day, Bleeping Computer was also alerted when one of the victims who was seeking help with the infection, submitted a sample via one of our forum threads for analysis.

According to shared analysis from experts such as Lawrence Abrams, Fabian Wosar, and Michael Gillespie, PSCrypt is a ransomware based on GlobeImposter 2.0, a ransomware strain that's been around for more than a year, and has evolved from the Globe ransomware family.

In the past, Globe-based ransomware has been a global threat, targeting users in multiple countries. Based on data from the ID-Ransomware service, the PSCrypt campaign has been focusing on the Ukraine alone, with a few sporadic infections in other countries.

Since last Wednesday, June 21, when the PSCrypt ransomware started spreading, 78% of all PSCrypt ID-Ransomware identification attempts have been from Ukrainian IP addresses. The numbers weren't as high as XData or NotPetya, but the focus on Ukrainian victims was there.

PSCrypt heatmap

Unlike XData and NotPetya, who were both pushed as tainted software update packages via servers belonging to M.E.Doc, a Ukrainian vendor of accounting software, PSCrypt spreads via unsecured RDP connections.

The attacker gains access to insecure systems, drops a file named "wmodule.exe" or "wmodule.zip" on the victim's PC and launches it into execution, installing the ransomware.

The ransomware will encrypt all files except those found in folders containing the following strings:

windows
Microsoft
Microsoft Help
Windows App Certification Kit
Windows Defender
ESET
COMODO
Windows NT
Windows Kits
Windows Mail
Windows Media Player
Windows Multimedia Platform
Windows Phone Kits
Windows Phone Silverlight Kits
Windows Photo Viewer
Windows Portable Devices
Windows Sidebar
WindowsPowerShell
Temp
NVIDIA Corporation
Microsoft.NET
Internet Explorer
Kaspersky Lab
McAfee
Avira
spytech software
sysconfig
Avast
Dr.Web
Symantec
Symantec_Client_Security
system volume information
Microsoft Shared
Common Files
Outlook Express
Movie Maker
Chrome
Mozilla Firefox
Opera
YandexBrowser
ntldr
wsus
Wsus
ProgramData

All encrypted files are appended with the .pscrypt file extension and a ransom note named "Paxynok.html" is dropped on the user's computer.

Filesencrypted by PSCrypt ransomware

By default, the ransomware drops a ransom note written in Ukrainian, but there is an English version of the ransom note left hidden in its source code, which is never dropped on users PCs.

This is a clue regarding the targeted nature of this attack. Clearly, the PSCrypt authors had one country in mind when they launched their attack, and didn't bother dropping an English ransom note.

PSCrypt ransom note [Ukrainian]
PSCrypt ransom note [Ukrainian]
PSCrypt ransom note [English]
PSCrypt ransom note [English]

Nonsensical ransom note and complex payment procedure

The Ukrainian ransom note is one of the weirdest we've seen. It asks users to find iBox terminals, which are ATM-like devices where users can deposit cash via their phone number and make online payments.

iBox terminals are found only in Ukraine, and the company boasts to have nearly 6,000 terminals spread across 200 cities.

The ransom note instructs victims to deposit 2,500 in Ukrainian Hryvnia (~$100) and buy Bitcoin through the BTCU.biz currency exchange, supported by iBox terminals.

The victim is then told to keep the iBox receipt and use it to log into a BTCU.biz account and transfer the deposited funds to the crook's Bitcoin address. The ransom note also tells victims to take a screenshot of the transaction, and send it to the crook's email address at systems64x@tutanota.com.

This is one of the most complicated payment processes we've seen in all ransomware families we've analyzed in the past. It's like the PSCrypt authors had intentionally made it difficult and time-consuming for victims to pay their ransoms.

A common theme

This approach is even worse than what the NotPetya crew opted to use yesterday. The NotPetya crew chose to use only one email address for handling payments, which got shut down by the email provider within hours and had made it impossible for victims to recover a decryption key for their files.

"If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options," wrote security researcher The Grugq yesterday in a blog post about the NotPetya outbreak. "This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of 'ransomware.'"

The same can be said for the PSCrypt crew. A ten-step process for making payments and a single email address to handle user requests is not a well-oiled criminal enterprise. Furthermore, asking victims for only $100 would make it not worth the effort for many victims. This is either a group of inexperienced ransomware developers or another covert cyber-op designed to look like a mundane ransomware campaign.

XData, NotPetya, PSCrypt - Hiding under older ransomware

"Designed to look" is the perfect wording for our statement. The three ransomware campaigns that have targeted the Ukraine have been offsprings of older ransomware strains, but there's more to this "classification."

First, the XData ransomware is an off-shoot of the AES-NI ransomware. A week after the XData ransomware outbreak that took place around May 19, the AES-NI author approached Bleeping Computer and dumped the master decryption keys for several AES-NI versions.

The AES-NI author told Bleeping Computer he did this as a sign of good faith, and to tell everyone he was not behind the XData outbreak. The AES-NI developer said someone stole the AES-NI source code and created XData, and he was terrorized with the idea of being framed for the XData outbreak that took place in Ukraine.

Second, the NotPetya ransomware from yesterday takes its name from Petya, a well-known ransomware strain. According to several security experts, the ransomware shares some code with Petya, but is sufficiently different to be in its own class.

As The Grugq suggested in his blog post, someone had taken Petya and weaponized it to inflict as much damage as possible. Theories about the ransomware name selection and timing [1, 2, 3] are many.

Third, PSCrypt is also based on a GlobeImposter strain, which according to MalwareHunter, was available for sale on RaaS portals, meaning anyone could have taken it and created a custom version.

The article part where we blame Russia

"Someone" taking previously known ransomware to create a new variant that's specifically targeted at one country is extremely strange. This needs some serious resources and motivation. Motivation like this.

With the recent discovery of two Russian-linked industrial malware families that similarly attacked mainly Ukrainian targets, it's no surprise that some have reached the conclusion that Russia is waging a silent cyberwar against its neighbor, using the country to test out new weapons.

With their specific targeting of Ukrainian users, XData, NotPetya, or PSCrypt could fall into this category, although, to be fair, there is no evidence to tie any of these three ransomware ops with Russian state agencies.

Cyber-attribution is never a 100% exact science. These are the details of the PSCrypt campaign. Readers are encouraged to reach their own conclusions, and maybe ask questions or point out details and interpretations we have not been able to spot.

SHA256 hash:

4448688d33635e153897b48aad7c3acf6785741c04a7c5ded853119b13424c19