Over the last two days, the ID Ransomware service was hit by two DDoS attacks launched by the author of the Enjey ransomware, embittered after ID Ransomware's creator, Michael Gillespie, had found a way to decrypt his ransomware.
The first attack started yesterday at around 19:00 UTC time, reached its peak at around 23:00 UTC, and kept going at full steam for a few hours until 08:00 UTC today, when the service went down for a few hours. The attack was quickly mitigated, but by that point the hosting provider took down the website as a precaution, eventually reinstating public access to the server a few hours after the first attack stopped.
Enjey's author took credit for the attack on Twitter. In a Twitter conversation with Bleeping Computer, the Enjey dev confirmed his identity by providing a copy of the script with which he attempted to bring down ID Ransomware.
He later launched a second DDoS attack to prove it was indeed him, albeit by this point the ID Ransomware crew had taken notice and were on hand to deal with the second assault. The service didn't go down during the second attack.
The DDoS script which the Enjey dev shared with Bleeping is written in C-Sharp and works by trying to upload two files to the ID Ransomware service in a continuous loop. The somewhat unorthodox DDoS attack didn't target the proper upload endpoint URL but generated enough junk traffic to crash the service during the first attack.
MalwareHunter, one of the people behind ID Ransomware, said the first attack launched 200,000 upload requests in an hour, while the second was much smaller, with 20,000 upload requests spanned across half an hour.
The atypical DDoS attack targeted ID Ransomware's upload section, which is its main feature. ID Ransomware is a service that launched eleven months ago and allows ransomware victims to upload a copy of a ransom note and a copy of an encrypted file, and identify what ransomware family has infected their computer.
The Enjey dev told Bleeping Computer he launched the DDoS attacks because he was mad the ID Ransomware service had indexed his ransomware, which he launched last week, on Tuesday, March 7.
In reality, he was probably much angrier at the fact that Michael Gillespie, ID Ransomware's creator, had found a way to decrypt files locked by his ransomware.
According to multiple researchers that have analyzed the Enjey ransomware, this is a rather simple threat, compared to other ransomware strains.
Taking a closer look at how Enjey works, the ransomware follows a simple encryption process, seen so many times in different other ransomware strains.
According to Bleeping Computer's Lawrence Abarms, Enjey encrypts files using the AES-256 algorithm and generates an identifier (GUID) for each victim, which it sends to a remote server, along with the decryption key. The C&C server is located at:
Enjey also deletes shadow volume copies with the following command, which makes the recovery of deleted data impossible, even if using data recovery software.
vssadmin delete shadows /all /Quiet
The encryption process targets all files, regardless of extension, and only skips the following folders:
Program Files (x86) $Recycle.Bin Windows Boot System Volum Information
After the encryption process ends, Enjey appends the following extension after each encrypted file name: .firstname.lastname@example.org
At the end of this entire process, the Enjey drops the following ransom note on the user's PC, in a file named README_DECRYPT.txt.
The Enjey dev appears to have shut down the ransomware's command and control servers before launching today's DDoS attacks, which means Enjey's distribution was currently halted. He also told Bleeping Computer he started work on Enjey 2.0.