CommonRansom Header

A new ransomware called CommonRansom was discovered that has a very bizarre request. In order to decrypt a computer after a payment is made, they require the victim to open up Remote Desktop Services on the affected computer and send them admin credentials in order to decrypt the victim's files.

CommonRansom was discovered by Michael Gillespie after a victim uploaded a ransom note and an encrypted file to his ID Ransomware service.

When encrypting a victim's computer, it will append the .[old@nuke.africa].CommonRansom extension to encrypted files. It will also create a ransom note named DECRYPTING.txt, which is displayed below.

CommonRansom Ransom Note
Redacted CommonRansom Ransom Note

In this ransomware's bizarre request, the attacker is telling victims to pay 0.1 btc and then send an email to old@nuke.africa with the following information:

1. This ID-[VICTIM_ID]
2. [IP_ADDRESS]:PORT(rdp) of infected machine
3. Username:Password with admin rights
4. Time when you have paid 0.1 btc to this bitcoin wallet:
35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF

This is a request that no one should ever comply with as once the attackers are connected, you lose access to your screen and have no idea what they are doing. They may decrypt your files, but at the same time they may also install further malware onto your computer, delete files, or steal data.

While we have not been able to find a sample of the actual ransomware as of yet, the one ransom note we have seen is utilizing the 35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF bitcoin address, which has seen some activity in the past.

Bitcoin Transactions
Bitcoin Transactions

Of particular interesting is a transaction of 65 bitcoins being sent from this address to the 1CnCfvUTFQf11QNeBEpk29rRXfNFg75R9n bitcoin address, which has received over 11,000 bitcoin addresses. The  1CnCfvUTFQf11QNeBEpk29rRXfNFg75R9n address could be used as a mixer to make it harder to law enforcement to track these bitcoins.

When we locate a sample of this ransomware, we will update this article with more information.

Related Articles:

IC3 Issues Alert Regarding Remote Desktop Protocol (RDP) Attacks

The Week in Ransomware - September 28th 2018 - RDP and gandCrab

New Brrr Dharma Ransomware Variant Released

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

IOCs

Associated Files:

DECRYPTING.txt

Ransom Note Text:

+-----------------------+
¦----+CommonRansom+-----¦
+-----------------------+
Hello dear friend,
Your files were encrypted!
You have only 12 hours to decrypt it
In case of no answer our team will delete your decryption password
Write back to our e-mail: old@nuke.africa


In your message you have to write:
1. This ID-[VICTIM_ID]
2. [IP_ADDRESS]:PORT(rdp) of infected machine
3. Username:Password with admin rights
4. Time when you have paid 0.1 btc to this bitcoin wallet:
35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF


After payment our team will decrypt your files immediatly


Free decryption as guarantee:
1. File must be less than 10MB
2. Only .txt or .lnk files, no databases
3. Only 5 files


How to obtain bitcoin:
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/