A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.

Discovered by MalwareHunterTeam, this ransomware contains an encrypted string that is embedded into the dropper as shown below.

Encrypted String
Encrypted String

This string is then decrypted using an included decryption key.

Function that decrypts string
Function that decrypts string

Now that the source code for the ransomware executable has been decrypted, the decrypted code is sent to another function that compiles it using the CSharpCodeProvider class and launches it directly into memory.

Compiling the source code
Compiling the source code

This method is probably being used to prevent the dropper from being detected by security software as any malicious behavior is hidden inside the encrypted string.

As for the ransomware itself, other than it saving the decryption key and IV to a file on the desktop, it is fully functional. Therefore, it wouldn't be surprising to see the ransomware being distributed at some point.

When executed, it will encrypt the files on the victim's computer and rename the files using the template sequre@tuta.io_[hex]. For example, a file called 11.jpg would be encrypted and renamed to sequre@tuta.io_31312E6A7067 .

Encrypted Folder
Encrypted Folder

In each folder that is scanned, a ransom note named HOW DECRIPT FILES.hta is created, which provides payment instructions as shown below.

Ransom Note
Ransom Note

While this ransomware is still in development, it does use an interesting feature that we have not seen in ransomware before. This goes to show how attackers continue to try and think up new ways to bypass security programs that protect your computer.

Related Articles:

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - November 2nd 2018 - RaaS, DiskCryptor, & More

New Ransomware using DiskCryptor With Custom Ransom Message

CommonRansom Ransomware Demands RDP Access to Decrypt Files