A new ransomware called MoneroPay has been discovered that tries to take advantage of the cryptocurrency craze by spreading itself as a wallet for a fake coin called SpriteCoin. While users were installing what they thought was a new cryptocoin, MoneroPay was silently encrypting the files on the computer.
First discovered by security researcher MalwareHunterTeam, this ransomware started distribution around January 6th in a topic posted to the largest cryptocoin forum called BitcoinTalk. This topic was used to announce the release of a new Altcoin called SpriteCoin.
[ANN] [SPR] Spritecoin Alpha Test https://t.co/Pj5xpeheuI— Ubiq ANN Bot (@ubiqannbot) January 7, 2018
The forum topic contained a link to an offline site that contained a brief page about SpriteCoin with a further link to a wallet.
While this topic has since been removed, it was posted in the site's Altcoin discussion forum, which is a common place for cryptocurrency developers to announce new coins. With cryptocurrency being so hot right now, and potentially very lucrative, when a new coin is launched many people quickly download the coin's wallet in order to begin mining it before its difficulty increases too much.
Once a user downloaded and ran the wallet, it would load up and go through what appeared to be a normal setup for a new cryptocoin wallet.
As there have been many false positives regarding wallets in the past, some miners disable their AV when testing new wallets. The MoneroPay ransomware was banking on this knowledge as a good way to get the ransomware installed quietly and without the user knowing until it was too late.
When you install a cryptocoin wallet for the first time, the wallet first needs to connect to the coin's network and synchronize itself with the blockchain. Depending on how many coins have already been mined and the speed of the network, this process can take a long time.
Knowing this, the ransomware developer started encrypting the computer while the SpriteCoin wallet pretended to download and synchronize the blockchain. As this normally takes a long time and could cause a lot of hard drive activity, it was the perfect cover for the MoneroPay ransomware.
While MoneroPay encrypts files, it will target files that match the following extensions:
txt, doc, rtf, cpp, tcl, html, ppt, docx, xls, xlsx, pptx, key, pem, psd, mkv, mp4, ogv, zip, jpg, jpeg, work, pyw, hpp, cgi, rar, lua, img, iso, webm, jar, java, class, one, htm, css, vbs, eps, psf, png, apk, ps1, wallet.dat
Of particular interest is that the ransomware appears to be targeting extension that are associated with programming languages. This may be because cryptocoin wallets tend to be used by those who are more technically inclined.
When encrypting a file MoneroPay will append the .encrypted extension to the encrypted file's name. For example. test.png would be renamed as test.png.encrypted.
While the ransomware is running it will also attempt to retrieve passwords stored in Firefox and Chrome. These passwords as well as information about the victim and their computer is uploaded to a C2 server located at jmqapf3nflatei35.onion.link.
When the fake block synchronization is completed, the MoneroPay lock screen will appear and display the ransom note. This is also most likely the first time that the victim realizes that they have been infected with ransomware.
This lock screen requests .3 Monero (XMR), or approximately $120 USD, in order to get the decryption key. It is not known if anyone has paid the ransom and successfully decrypted their files.
In order to protect yourself from ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
For cryptocoin enthusiasts, you unfortunately have to pay a bit more attention than most people. Cryptocoins have always had a history of wallets being infected, people using malware to steal coins, and more. Therefore it is absolutely important that anyone who downloads a new cryptocoin wallet first scan it using VirusTotal to make sure it's not infected.
Even if it comes up clean, I still suggest that you first test wallets using a virtual machine such as VirtualBox and only use wallets from known organizations. This is because even if a wallet comes up clean and does not display any outward malicious behavior, you still have no idea if it's doing something malicious behind the scenes.
You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.
Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
boost.dll : DBDD00071ED88C6F3AFEB725222BC4118D79E918D970A5428AA48F2EB5280546 cryptonight.dll : EB53B107792809070865591C63E87FCF4CF30BB6863233C7BDBDD7B92BAA7CB3 spritecoind.exe : ABABB37A65AF7C8BDE0167DF101812CA96275C8BC367EE194C61EF3715228DDC spritecoinwallet.exe : 6DCFD0A4C5E1F4BD137187D39590F8C5F2F29CECDB2DCDCE605B803145643CD3
spritecoin\boost.dll spritecoin\cryptonight.dll spritecoin\spritecoind.exe spritecoin\spritecoinwallet.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MoneroPay" "MoneroPayAgent.exe"
Your files are encrypted If you close this window, you can always restart and it should appear again. All your files have been encrypted by us. This means you will be unable to access or use them. In orrder to retrieve them, you must sent 0.3 monero (about $120 USD) to: [monero_address] Make sure you include your payment ID: Use CTRL+C to copy both IF YOU DO NOT INCLUDE YOUR PAYMENT ID, YOUR FILES CANNOT BE DECRYPTED. Do not waste your time -- only we can decrypt your files. If you have paid, click on the DECRYPT button to return your files to normal. Don't worry, we'll give you your files back if you pay.