Yesterday, Bleeping Computer's Lawrence Abrams came across a new ransomware family called Trump Locker based on the email address crooks listed in the ransom note, the title of the lock screen, and an image of US President Donald Trump the ransomware displayed before its ransom note.

After a close analysis by both Abrams and MalwareHunter, the two say this new ransomware is related to VenusLocker, a ransomware family discovered on August 4, 2016, and then received an update on December 23, 2016.

Based on current information, we cannot say for sure if Trump Locker is distributed by the same group that created VenusLocker, or if someone created Trump Locker as a near identical clone after reversing and copying VenusLocker's source code.

Trump Locker infection routine

Trump Locker infections start when a user launches the TrumpLocker.exe file. At the time of writing, we don't have any information on Trump Locker's distribution method and how this file reaches users.

When this file executes, the first thing it does is to connect to its C&C server by accessing the following URL:

https://3q27hfpradjovwyo.onion.cab/ran/gen.php?u=[computer-name]\[login-name]

By default, the C&C server responds with a public key to encrypt the victim's files with and the ransom amount in USD and Bitcoin. Currently, the ransom fee is set to 0.145 Bitcoin, which is around $165.

Trump Locker uses interesting encryption scheme

After receiving the public encryption key, the ransomware starts the file encryption process, which doesn't follow regular conventions.

Trump Locker has a list of files it targets for encryption, just like other ransomware families. What's different is that Trump Locker fully encrypts certain file types, while for others it only encrypts the first 1024 bytes of each file. This behavior has only been spotted in previous VenusLocker variants.

Files locked by Trump Locker ransomware

TrumpLocker will fully encrypt the following file types, and append the .TheTrumpLockerf extension at the end.

.txt, .ini, .php, .html, .css, .py, .c, .cpp, .cc, .h, .cs, .log, .pl, .java, .doc, .dot, .docx, .docm, .dotx, .dotm, .rtf, .wpd, .docb, .wps, .msg, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .class, .jar, .csv, .xml, .dwg, .dxf, .asp

Similarly, Trump Locker will partially encrypt the following file types, and append the .TheTrumpLockerp extension at the end.

.asf, .pdf, .xls, .docx, .xlsx, .mp3, .waw, .jpg, .jpeg, .txt, .rtf, .doc, .rar, .zip, .psd, .tif, .wma, .gif, .bmp, .ppt, .pptx, .docm, .xlsm, .pps, .ppsx, .ppd, .eps, .png, .ace, .djvu, .tar, .cdr, .max, .wmv, .avi, .wav, .mp4, .pdd, .php, .aac, .ac3, .amf, .amr, .dwg, .dxf, .accdb, .mod, .tax2013, .tax2014, .oga, .ogg, .pbf, .ra, .raw, .saf, .val, .wave, .wow, .wpk, .3g2, .3gp, .3gp2, .3mm, .amx, .rpt, .avs, .bik, .dir, .divx, .dvx, .evo, .flv, .qtq, .tch, .rts, .rum, .rv, .scn, .srt, .stx, .svi, .swf, .trp, .vdo, .wm, .wmd, .wmmp, .wmx, .wvx, .xvid, .3d, .3d4, .3df8, .pbs, .adi, .ais, .amu, .arr, .bmc, .bmf, .cag, .cam, .dng, .ink, .ini, .jif, .jiff, .jpc, .jpf, .jpw, .mag, .mic, .mip, .msp, .nav, .ncd, .odc, .odi, .opf, .qif, .xwd, .abw, .act, .adt, .aim, .ans, .asc, .ase, .bdp, .bdr, .bib, .boc, .crd, .diz, .dot, .dotm, .dotx, .dvi, .dxe, .mlx, .err, .euc, .faq, .fdr, .fds, .gthr, .idx, .kwd, .lp2, .ltr, .man, .mbox, .msg, .nfo, .now, .odm, .oft, .pwi, .rng, .rtx, .run, .ssa, .text, .unx, .wbk, .wsh, .7z, .arc, .ari, .arj, .car, .cbr, .cbz, .gz, .gzig, .jgz, .pak, .pcv, .puz, .rev, .sdn, .sen, .sfs, .sfx, .sh, .shar, .shr, .sqx, .tbz2, .tg, .tlz, .vsi, .wad, .war, .xpi, .z02, .z04, .zap, .zipx, .zoo, .ipa, .isu, .jar, .js, .udf, .adr, .ap, .aro, .asa, .ascx, .ashx, .asmx, .asp, .indd, .asr, .qbb, .bml, .cer, .cms, .crt, .dap, .htm, .moz, .svr, .url, .wdgt, .abk, .bic, .big, .blp, .bsp, .cgf, .chk, .col, .cty, .dem, .elf, .ff, .gam, .grf, .h3m, .h4r, .iwd, .ldb, .lgp, .lvl, .map, .md3, .mdl, .nds, .pbp, .ppf, .pwf, .pxp, .sad, .sav, .scm, .scx, .sdt, .spr, .sud, .uax, .umx, .unr, .uop, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vmf, .vtf, .w3g, .w3x, .wtd, .wtf, .ccd, .cd, .cso, .disk, .dmg, .dvd, .fcd, .flp, .img, .isz, .mdf, .mds, .nrg, .nri, .vcd, .vhd, .snp, .bkf, .ade, .adpb, .dic, .cch, .ctt, .dal, .ddc, .ddcx, .dex, .dif, .dii, .itdb, .itl, .kmz, .lcd, .lcf, .mbx, .mdn, .odf, .odp, .ods, .pab, .pkb, .pkh, .pot, .potx, .pptm, .psa, .qdf, .qel, .rgn, .rrt, .rsw, .rte, .sdb, .sdc, .sds, .sql, .stt, .tcx, .thmx, .txd, .txf, .upoi, .vmt, .wks, .wmdb, .xl, .xlc, .xlr, .xlsb, .xltx, .ltm, .xlwx, .mcd, .cap, .cc, .cod, .cp, .cpp, .cs, .csi, .dcp, .dcu, .dev, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .eql, .ex, .f90, .fla, .for, .fpp, .jav, .java, .lbi, .owl, .pl, .plc, .pli, .pm, .res, .rsrc, .so, .swd, .tpu, .tpx, .tu, .tur, .vc, .yab, .aip, .amxx, .ape, .api, .mxp, .oxt, .qpx, .qtr, .xla, .xlam, .xll, .xlv, .xpt, .cfg, .cwf, .dbb, .slt, .bp2, .bp3, .bpl, .clr, .dbx, .jc, .potm, .ppsm, .prc, .prt, .shw, .std, .ver, .wpl, .xlm, .yps, .1cd, .bck, .html, .bak, .odt, .pst, .log, .mpg, .mpeg, .odb, .wps, .xlk, .mdb, .dxg, .wpd, .wb2, .dbf, .ai, .3fr, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .pem, .pfx, .p12, .p7b, .p7c, .jfif, .exif, .docb, .xlt, .xltm, .xlw, .ppam, .sldx, .sldm, .class, .db, .pdb, .dat, .csv, .xml, .spv, .grle, .sv5, .game, .slot, .aaf, .aep, .aepx, .plb, .prel, .prproj, .eat, .ppj, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .svg, .as3, .as

When performing the encryption, Trump Locker first checks if the file extension is in the full encryption list first. If it is, it fully encrypts the file regardless of whether that same extension is also in the partial list.

When encrypting files it will base64 encode the original filename and then append the encrypted extension at the end. This operation makes the identification of sensitive files much harder.

Trump Locker's different encryption models
Trump Locker's different encryption models

The encryption process is also where MalwareHunterTeam spotted the similarities between Trump Locker's and VenusLocker's source code.

Trump Locker's encryption code
Trump Locker's encryption code
VenusLocker's encryption code
VenusLocker's encryption code

Another place where these two ransomware families are alike is the folder exclusion list, which is a list of words that the ransomware uses to check folder names and skip encrypting files for certain directory paths. For both ransomware families, Trump Locker and VenusLocker, this list is identical.

Trump Locker's exemptions list
Trump Locker's exemptions list
VenusLocker's exemptions list
VenusLocker's exemptions list

Once the encryption process ends, Trump Locker will now focus on showing its ransom demands. This happens in three ways, through a convoluted process.

First, the ransomware drops a file named "What happen to my files.txt" on the user's desktop, pictured below.

Trump Locker text file ransom note
Trump Locker text file ransom note

Then, Trump Locker drops a file named uinf.uinf on disk, which contains the responses from the C&C server. This file acts like a configuration file and is used by the RansomNote.exe program.

The following step is for Trump Locker to extract a file named RansomNote.exe from the main installer (TrumpLocker.exe), which it drops on the user's desktop.

After this, the ransom executes the following command, which deletes local shadow volume copies, making recovery of previous files versions impossible.

C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete&exit

The next step is to change the user's wallpaper with the following image, which it downloads from this Imgur URL:

http://i.imgur.com/g4Ly4AD.jpg
Trump Locker desktop wallpaper
Trump Locker desktop wallpaper

The final state is to execute the RansomNote.exe file, the ransomware left in an earlier step on the user's desktop. When this file executes, it shows a splash image portraying Donald Trump and the text "YOU ARE HACKED!!"

Trump Locker temporary splash image
Trump Locker temporary splash image

This image doesn't stay long on the victim's screen and is replaced by a new window, which shows ransom payment information. Once again, this is another dead giveway that TrumpLocker and VenusLocker are related, as both screens are nearly identical.

Trump Locker ransom window
Trump Locker ransom window
VenusLocker ransom window
VenusLocker ransom window

To make sure this window shows app after users restart their computers, Trump Locker also adds a registry key which automatically launches the RansomNote.exe file with each boot-up.

If you suspect you've been infected with Trump Locker, the ID-Ransomware service can help you confirm your infection, as the service was updated today to handle TrumLocker detections.

IOCs:

SHA256 Hash (VT Scan):

08bd44c06513a5b490595560dc5eefff70f2ececfe72c6b9817310238038ef6c

Ransom note text:

--- The Trump Locker ---
Unfortunately, you are hacked.
1. What happened to my files?
Your personal files, including your photos, documents, videos and other important files on this computer, have been encrypted with RSA-4096, the strongest encryption algorithm. RSA algorithm generates a public key and a private key for your computer. The public key was used to encrypt your files a moment ago. The private key is necessary for you to decrypt and recover your files. Now, your private key is stored on our secret Internet server. And there is no doubt that no one can recover your files without your private key.
For further information about RSA algorithm, please refer to https://en.wikipedia.org/wiki/RSA_(cryptosystem)
2. How to decrypt my files?
To decrypt and recover your files, you have to pay #ramt# US Dollars for the private key and decryption service. Please note that you have ONLY 72 HOURS to complete your payment. If your payment do not be completed within time limit, your private key will be deleted automatically by our server. All your files will be permanently encrypted and nobody can recover them. Therefore, it is advised that you'd better not waste your time, because there is no other way to recover your files except making a payment.
3. How to pay for my private key?
There are three steps to make a payment and recover your files:
1). For the security of transactions, all the payments must be completed via Bitcoin network. Thus, you need to exchange #ramt# US dollars (or equivalent local currencies) to Bitcoins, and then send these Bitcoins (about #btc# BTC) to the following address. 1N82pq3XovKoJYqUmTrRiXftpNHZyu4jyv
2). Send your personal ID to our official email: TheTrumpLocker@mail2tor.com
Your personal ID is: #id#
3). You will receive a decryptor and your private key to recover all your files within one working day.
4. What is Bitcoin?
Bitcoin is an innovative payment network and a new kind of money. It is based on an open-source cryptographic protocol that is independent of any central authority. Bitcoins can be transferred through a computer or a smartphone withour an intermediate financial institution.
5. How to make a payment with Bitcoin?
You can make a payment with Bitcoin based on Bitcoin Wallet or Based on Perfect Money. You can choose the way that is more convenient for you.
About Based on Bitcoin Wallet
1) Create a Bitcoin Wallet. We recommend Blockchain.info (https://blockchain.info/)
2) Buy necessary amount of Bitcoins. Our recommendations are as follows.
LocalBitcoins.com -- the fastest and easiest way to buy and sell Bitcoins.
CoinCafe.com -- the simplest and fastest way to buy, sell and use Bitcoins.
BTCDirect.eu -- the best for Europe.
CEX.IO -- Visa / MasterCard
CoinMama.com -- Visa / MasterCard
HowToBuyBitcoins.info -- discover quickly how to buy and sell Bitcoins in your local currency.
3) As mentioned above, send about #btc# BTC (equivalent to #ramt# USD) to our Bitcoin receiving address.
4) As mentioned above, and then, send us your personal ID via email, you will receive your private key soon.
About Based on Perfect Money
1) Create a Perfect Money account. (https://perfectmoney.is)
2) Visit to PMBitcoin.com. (https://pmbitcoin.com/btc)
input our Bitcoin receiving address in the \"Bitcoin Wallet\" textbox.
input #ramt# in the \"Amount\" textbox, the amount of Bitcoin will be calculated automatically.
click \"PAY\" button, then you can complete you payment with your Perfect Money account and local debit card.
6. If you have any problem, please feel free to contact us via official email.
Best Regards
The Trump Locker Team

Email  address:

TheTrumpLocker@mail2tor.com

Folders excluded from encryption:

Program Files, Program Files (x86), Windows, Python27, Python34, AliWangWang, Avira, wamp, Avira, 360, ATI, Google, Intel, Internet Explorer, Kaspersky Lab, Microsoft Bing Pinyin, Microsoft Chart Controls, Microsoft Games, Microsoft Office, Microsoft.NET, MicrosoftBAF, MSBuild, QQMailPlugin, Realtek, Skype, Reference Assemblies, Tencent, USB Camera2, WinRAR, Windows Sidebar, Windows Portable Devices, Windows Photo Viewer, Windows NT, Windows Media Player, Windows Mail, NVIDIA Corporation, Adobe, IObit, AVAST Software, CCleaner, AVG, Mozilla Firefox, VirtualDJ, TeamViewer, ICQ, java, Yahoo!

Bitcoin address:

1N82pq3XovKoJYqUmTrRiXftpNHZyu4jyv

Files:

%Desktop%\RansomNote.exe - RansomNote exec
%Desktop%\What happen to my files.txt - Ransom Note
%Temp%\uinf.uinf - Information received from Command & Control Server

Registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TheTrumpLocker    %Desktop%\RansomNote.exe

Network Communication:

https://3q27hfpradjovwyo.onion.cab