A new variant of the HC7 Ransomware is in the wild that encrypts a victim's files and appends the .PLANETARY extension to the filename. What makes this particular ransomware variant unique is that it may be the first one that accepts Ethereum as a ransom payment.

HC7 Planetary Ransomware Ransom Note
HC7 Planetary Ransomware Ransom Note

Almost all ransomware utilize Bitcoin for the ransom payment, with a few requesting Monero.  Now that Ethereum is currently selling for over $1,200 per coin and rising in price and popularity, it's not surprising that we see criminals accepting it as a payment.

While a cryptocurrency like Monero, or even Verge, makes more sense due to their greater privacy and being less traceable, Ethereum's smart contract feature could make ransomware payment processing more efficient.  Using Ethereum's smart contracts, a criminal could make a "honest ransomware", where a victim guarantees payment if the developer actually decrypts the victim's files.

While no ransomware currently uses Ethereum smart contracts for payments and most likely will not due to its complexity, that is really the only good reason to use Ethereum over other cryptocurrencies. In the future, I would expect developers to move away from Bitcoin and start moving more towards Monero and XVG due to them being "privacy" related coins.

What we know about the HC7 Planetary Ransomware

As for the HC7 Planetary variant, we do not know much more than it is currently being distributed via the developer hacking into networks using remote desktop. Once they gain access to the network they will manually install the ransomware on all machines they can gain access to.

Example of what a Planetary Encrypted Folder Looks Like
Example of what a Planetary Encrypted Folder Looks Like

As the ransomware is manually installed and typically cleaned up by the developer afterwards, finding a sample is not easy. Bleeping Computer only learned about this variant because a victim reached out to us for help.

When infected, the developers allow a victim to decrypt a single machine for a set price or the entire network for another price. As you can see from the ransom note below, the current ransom amount is $700 per machine or $5,000 for all of the machines on the network.

In the past, a method to decrypt HC7 encrypted files was discovered by performing memory forensics on a victim's computer in order to retrieve the password used on the command line when the ransomware was installed.  The change of success using this method, though, diminishes the longer the computer is in use and no longer works at all if the computer has been rebooted.

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files

IOCs

HC7 "Planetary" Ransom Note:

ALL FILES ARE ENCRYPTED. 
TO RESTORE, YOU MUST SEND $700 EQUIVALENT FOR ONE COMPUTER
OR $5,000 FOR ALL NETWORK
PAYMENTS ACCEPTED VIA BITCOIN, MONERO AND ETHEREUM
BTC ADDRESS: [bitcoin_address]
MONERO (XMR) ADDRESS: [monero_address]
CONTACT US WHEN ETHEREUM PAYMENT INFORMATION
BEFORE PAYMENT SENT EMAIL m4rk0v@tutanota.de
ALONG WITH YOUR IDENTITY: [base64_encoded_computer_name]
INCLUDE SAMPLE ENCRYPTED FILE FOR PROOF OF DECRYPT


NOT TO SHUT OFF YOUR COMPUTER, UNLESS IT WILL BREAK

Associated Emails:

m4rk0v@tutanota.de