While most ransomware demand money, usually in the form of bitcoins, once in a while we see one that demands an alternate payment. These demands could be a change in government policy or a silly request, but this is the first time we have found a malware demanding nude pictures in return to getting access to their computer back.

Discovered by MalwareHunterTeam, nRansom locks your computer and then demands that the victim send 10 nude pictures of themselves to a listed email address in order to unlock their computer.

nRansom Lock Screen
nRansom Lock Screen

This malware is clearly a joke with its use of a Thomas & Friends picture, a demand that states that they are going to sell your nudes on underground sites after you send them, and the looping of the Curb Your Enthusiasm TV show music. My guess, is that this malware was created by someone to troll their friends with a silly little infection that is easily removed.

nRansom is a Locker, not a Ransomware

While the ransmomware demands a ransom in the form of 10 nude pictures that they will then sell on the dark web, this is just to unlock the computer. nRansom does not encrypt any files in any way.

When executed, it extracts a Visual Basic program called nRansom.exe, some supporting DLLs, and a MP3 called your-mom-gay.mp3 to a random named folder in the %Temp% folder. Once the files are extracted, the launcher will execute the nRansom.exe program.

Once nRansom.exe is run, it will display a silly lock screen with a tiled Thomas & Friends background that asks for nude pics and then plays the your-mom-gay.mp3 MP3, which is the song Frolic that is most known for being the theme music to the Curb Your Enthusiasm show. This lock screen will tell the victim to send 10 nude pictures to the email address 1_kill_yourself_1@protonmail.com, which has already been disabled by Protonmail.

This locker is very buggy, clearly not meant for distribution, and does not work correctly as can be seen in the video below.

As already stated, this is not a ransomware and simply a locker. That means you just need to enter a code to unlock the screen as shown below. This code is 12345.

Unlock Source Code
nRansom Unlock Source

The program is also buggy in how it unlocks itself. Even when you enter the correct code, pressing the unlock button does not do anything other than to try and remove a from a location that it does not exist in.

Unlock Source Code
Unlock Source Code

The only way to terminate it is to manually minimize the screen and just end the nRansom.exe process.

Overall, while the demand is comical, nRansom is nothing but a joke malware and nothing to be worried about. 


IOCs

nRansom Hash:

SHA256: c89944f9ec704c2b8da3a1acf726699022e7c68334110f72007d762217a9a4a5

nRansom Ransom Note:

go to protonmail.com and create an account.
Send an email to 1_kill_yourself_1@protonmail.com.
We will not respond immediatly. After we reply, you
must send at least 10 nude pictures of you. After that
we will have to verify that the nudes belong to you.
Once you are verified, we will give you your unlock code
and sell your nudes on the deep web

nRansom Files:

%Temp%\[random].tmp\AxInterop.WMPLib.dll
%Temp%\[random].tmp\Interop.WMPLib.dll
%Temp%\[random].tmp\nRansom.exe
%Temp%\[random].tmp\Tools\
%Temp%\[random].tmp\Tools\your-mom-gay.mp3

nRansom Contact Email:

1_kill_yourself_1@protonmail.com