A new ransomware dubbed the Magic Ransomware has been discovered that encrypts your data using AES encryption, adds the .magic extension to encrypted files, and then demands 1 bitcoin to get the data back. This ransomware is created in C# and when decompiled quickly become apparent that it is almost an exact copy of the open-source ransomware called eda2. The eda2 ransomware, along with the Hidden Tear ransomware, was publicly published by someone who claims they did it for educational purposes. Whether that be the case or not, the code is actively being used by malware developers and causing major problems for those who are affected.
The malware developers who operate the more notorious ransomware programs like CryptoWall, TeslaCrypt, and CTB-Locker obviously have a lot of technical knowledge under their belt in order to keep their servers up and running while under the scrutiny of numerous security researchers and law enforcement agencies. Those who have been using the eda2 ransomware kit appear to be of a much lower level skill set.
This is because the eda2 ransomware kit contains everything a would-be criminal needs in order to create their very own ransomware. This kit includes the code for not only the ransomware executable and the encryption algorithm, but also the PHP web panel that acts as a Command & Control server for storing the encryption keys of victims. Unfortunately, the only people who are using this freely available code are those who are not advanced enough to properly utilize it.
That means that instead of using robust and hidden Command & Control servers, these distributors use C2 servers hosted on free web sites services. Though this means that they can easily be taken down, it also means that the free web hosting provider may delete the decryption key databases before security researchers or the authorities can access them. If this database is deleted, then the victims lose the ability to retrieve their keys.
At this time, the Command & Control server being utilized for this ransomware has been removed by the free web hosting service provider. I have reached out to them to see if we can get a copy of the database so that a decrypter could be built for those who are affected.
It is currently unknown how the ransomware is being distributed, but there have been reports that user's come back to the computer to suddenly find that their data has been encrypted. Therefore, it is possible that the developer was distributing it manually through hacked terminal services or remote desktop.
The installer for this ransomware is an executable called magic.exe that once installed will request a RSA public key from the Command & Control server and use that key to encrypt the AES key used to encrypt the files on the victim's computer. This encrypted AES key is then sent back to the Command & Control server where it is stored. When encrypting the computer it will scan all drives on the infected computer for files that match certain file extensions. When it detects a matching file it will encrypt the file using AES encryption and append the .magic extension to it. While encrypting, the Magic Ransomware will not encrypt any files located in directories that contain the string $, C:\Windows, or c:\program.
The list of file extensions it encrypts are:
.asf, .pdf, .xls, .docx, .xlsx, .mp3, .waw, .jpg, .jpeg, .txt, .rtf, .doc, .rar, .zip, .psd, .tif, .wma, .gif, .bmp, .ppt, .pptx, .docm, .xlsm, .pps, .ppsx, .ppd, .eps, .png, .ace, .djvu, .tar, .cdr, .max, .wmv, .avi, .wav, .mp4, .pdd, .php, .aac, .ac3, .amf, .amr, .dwg, .dxf, .accdb, .mod, .tax2013, .tax2014, .oga, .ogg, .pbf, .ra, .raw, .saf, .val, .wave, .wow, .wpk, .3g2, .3gp, .3gp2, .3mm, .amx, .avs, .bik, .dir, .divx, .dvx, .evo, .flv, .qtq, .tch, .rts, .rum, .rv, .scn, .srt, .stx, .svi, .swf, .trp, .vdo, .wm, .wmd, .wmmp, .wmx, .wvx, .xvid, .3d, .3d4, .3df8, .pbs, .adi, .ais, .amu, .arr, .bmc, .bmf, .cag, .cam, .dng, .ink, .jif, .jiff, .jpc, .jpf, .jpw, .mag, .mic, .mip, .msp, .nav, .ncd, .odc, .odi, .opf, .qif, .xwd, .abw, .act, .adt, .aim, .ans, .asc, .ase, .bdp, .bdr, .bib, .boc, .crd, .diz, .dot, .dotm, .dotx, .dvi, .dxe, .mlx, .err, .euc, .faq, .fdr, .fds, .gthr, .idx, .kwd, .lp2, .ltr, .man, .mbox, .msg, .nfo, .now, .odm, .oft, .pwi, .rng, .rtx, .run, .ssa, .text, .unx, .wbk, .wsh, .7z, .arc, .ari, .arj, .car, .cbr, .cbz, .gz, .gzig, .jgz, .pak, .pcv, .puz, .rev, .sdn, .sen, .sfs, .sfx, .sh, .shar, .shr, .sqx, .tbz2, .tg, .tlz, .vsi, .wad, .war, .xpi, .z02, .z04, .zap, .zipx, .zoo, .ipa, .isu, .jar, .js, .udf, .adr, .ap, .aro, .asa, .ascx, .ashx, .asmx, .asp, .indd, .asr, .qbb, .bml, .cer, .cms, .crt, .dap, .htm, .moz, .svr, .url, .wdgt, .abk, .bic, .big, .blp, .bsp, .cgf, .chk, .col, .cty, .dem, .elf, .ff, .gam, .grf, .h3m, .h4r, .iwd, .ldb, .lgp, .lvl, .map, .md3, .mdl, .nds, .pbp, .ppf, .pwf, .pxp, .sad, .sav, .scm, .scx, .sdt, .spr, .sud, .uax, .umx, .unr, .uop, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vmf, .vtf, .w3g, .w3x, .wtd, .wtf, .ccd, .cd, .cso, .disk, .dmg, .dvd, .fcd, .flp, .img, .isz, .mdf, .mds, .nrg, .nri, .vcd, .vhd, .snp, .bkf, .ade, .adpb, .dic, .cch, .ctt, .dal, .ddc, .ddcx, .dex, .dif, .dii, .itdb, .itl, .kmz, .lcd, .lcf, .mbx, .mdn, .odf, .odp, .ods, .pab, .pkb, .pkh, .pot, .potx, .pptm, .psa, .qdf, .qel, .rgn, .rrt, .rsw, .rte, .sdb, .sdc, .sds, .sql, .stt, .tcx, .thmx, .txd, .txf, .upoi, .vmt, .wks, .wmdb, .xl, .xlc, .xlr, .xlsb, .xltx, .ltm, .xlwx, .mcd, .cap, .cc, .cod, .cp, .cpp, .cs, .csi, .dcp, .dcu, .dev, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .eql, .ex, .f90, .fla, .for, .fpp, .jav, .java, .lbi, .owl, .pl, .plc, .pli, .pm, .res, .rsrc, .so, .swd, .tpu, .tpx, .tu, .tur, .vc, .yab, .aip, .amxx, .ape, .api, .mxp, .oxt, .qpx, .qtr, .xla, .xlam, .xll, .xlv, .xpt, .cfg, .cwf, .dbb, .slt, .bp2, .bp3, .bpl, .clr, .dbx, .jc, .potm, .ppsm, .prc, .prt, .shw, .std, .ver, .wpl, .xlm, .yps, .1cd, .bck, .html, .bak, .odt, .pst, .log, .mpg, .mpeg, .odb, .wps, .xlk, .mdb, .dxg, .wpd, .wb2, .dbf, .ai, .3fr, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .pem, .pfx, .p12, .p7b, .p7c, .jfif, .exif
After it has finished encrypting the drives it will create a batch file called deleteMyProgram.bat and execute it. This batch file will use vssadmin.exe to clear the victim's Shadow Volume Copies and then delete the malware executable.
Finally, there will be ransom notes left on the desktop called DECRYPT.TXT and DECRYPT_ReadMe.TXT.ReadMe that explain what has happened. This ransom note uses a static bitcoin payment address of 1LXFUhLtEnJYTo2YyMhdUCBaHcgc6LaLfR, which has had no payments sent to it as of yet. The ransom note states that you must pay 1 bitcoin to the enclosed bitcoin address and then send an email to email@example.com, firstname.lastname@example.org, or email@example.com to receive instructions on how to decrypt your files.