A new ransomware called MoneroPay has been discovered that tries to take advantage of the cryptocurrency craze by spreading itself as a wallet for a fake coin called SpriteCoin.  While users were installing what they thought was a new cryptocoin, MoneroPay was silently encrypting the files on the computer.

SpriteCoin Wallet spread on the popular BitCoinTalk Forum

First discovered by security researcher MalwareHunterTeam, this ransomware started distribution around January 6th in a topic posted to the largest cryptocoin forum called BitcoinTalk. This topic was used to announce the release of a new Altcoin called SpriteCoin.

The forum topic contained a link to an offline site that contained a brief page about SpriteCoin with a further link to a wallet.

Fake SpriteCoin Site
Fake SpriteCoin Site

While this topic has since been removed, it was posted in the site's Altcoin discussion forum, which is a common place for cryptocurrency developers to announce new coins.  With cryptocurrency being so hot right now, and potentially very lucrative, when a new coin is launched many people quickly download the coin's wallet in order to begin mining it before its difficulty increases too much.

Once a user downloaded and ran the wallet, it would load up and go through what appeared to be a normal setup for a new cryptocoin wallet.

SpriteCoin Wallet
SpriteCoin Wallet

As there have been many false positives regarding wallets in the past, some miners disable their AV when testing new wallets. The MoneroPay ransomware was banking on this knowledge as a good way to get the ransomware installed quietly and without the user knowing until it was too late.

MoneroPay quietly encrypts a computer while the fake wallet synchronizes

When you install a cryptocoin wallet for the first time, the wallet first needs to connect to the coin's network and synchronize itself with the blockchain.  Depending on how many coins have already been mined and the speed of the network, this process can take a long time.

Knowing this, the ransomware developer started encrypting the computer while the SpriteCoin wallet pretended to download and synchronize the blockchain. As this normally takes a long time and could cause a lot of hard drive activity, it was the perfect cover for the MoneroPay ransomware.

Fake Wallet Synchronization
Fake Wallet Synchronization

While MoneroPay encrypts files, it will target files that match the following extensions:

txt, doc, rtf, cpp, tcl, html, ppt, docx, xls, xlsx, pptx, key, pem, psd, mkv, mp4, ogv, zip, jpg, jpeg, work, pyw, hpp, cgi, rar, lua, img, iso, webm, jar, java, class, one, htm, css, vbs, eps, psf, png, apk, ps1, wallet.dat

Of particular interest is that the ransomware appears to be targeting extension that are associated with programming languages. This may be because cryptocoin wallets tend to be used by those who are more technically inclined.

When encrypting a file MoneroPay will append the .encrypted extension to the encrypted file's name.  For example. test.png would be renamed as test.png.encrypted.

Encrypted MoneroPay Files
Encrypted MoneroPay Files

While the ransomware is running it will also attempt to retrieve passwords stored in Firefox and Chrome. These passwords as well as information about the victim and their computer is uploaded to a C2 server located at jmqapf3nflatei35.onion.link.

Uploading to C2
Password Dump

When the fake block synchronization is completed, the MoneroPay lock screen will appear and display the ransom note. This is also most likely the first time that the victim realizes that they have been infected with ransomware.

MoneroPay

This lock screen requests .3 Monero (XMR), or approximately $120 USD, in order to get the decryption key. It is not known if anyone has paid the ransom and successfully decrypted their files.

CryptoCoin enthusiasts need to take extra precautions against malware

In order to protect yourself from ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

For cryptocoin enthusiasts, you unfortunately have to pay a bit more attention than most people. Cryptocoins have always had a history of wallets being infected, people using malware to steal coins, and more. Therefore it is absolutely important that anyone who downloads a new cryptocoin wallet first scan it using VirusTotal to make sure it's not infected.

Even if it comes up clean, I still suggest that you first test wallets using a virtual machine such as VirtualBox and only use wallets from known organizations. This is because even if a wallet comes up clean and does not display any outward malicious behavior, you still have no idea if it's doing something malicious behind the scenes.

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

Related Articles:

Bitcoin Wallet App Caught Stealing Seed Keys

New MassMiner Malware Targets Web Servers With an Assortment of Exploits

Hackers Make Whopping $226K Installing Monero Miners on Oracle WebLogic Servers

Hacker Hijacks DNS Server of MyEtherWallet to Steal $160,000

Old JavaScript Crypto Flaw Puts Bitcoin Funds at Risk

IOCs

MoneroPay Hashes:

boost.dll : DBDD00071ED88C6F3AFEB725222BC4118D79E918D970A5428AA48F2EB5280546
cryptonight.dll : EB53B107792809070865591C63E87FCF4CF30BB6863233C7BDBDD7B92BAA7CB3
spritecoind.exe : ABABB37A65AF7C8BDE0167DF101812CA96275C8BC367EE194C61EF3715228DDC
spritecoinwallet.exe : 6DCFD0A4C5E1F4BD137187D39590F8C5F2F29CECDB2DCDCE605B803145643CD3

Files associated with MoneroPay:

spritecoin\boost.dll
spritecoin\cryptonight.dll
spritecoin\spritecoind.exe
spritecoin\spritecoinwallet.exe

Registry entries associated with MoneroPay:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MoneroPay" "MoneroPayAgent.exe"

MoneroPay Network Connections:

jmqapf3nflatei35.onion.link

MoneroPay Ransom Note:

Your files are encrypted

If you close this window, you can always restart and it should appear again.

All your files have been encrypted by us. This means you will be unable to access or use them. In orrder to retrieve them, you must sent 0.3 monero (about $120 USD) to:

[monero_address]

Make sure you include your payment ID:

Use CTRL+C to copy both

IF YOU DO NOT INCLUDE YOUR PAYMENT ID, YOUR FILES CANNOT BE DECRYPTED. Do not waste your time -- only we can decrypt your files.

If you have paid, click on the DECRYPT button to return your files to normal. Don't worry, we'll give you your files back if you pay.