Over the past month, I have seen that many of the "minor", or less heavily distributed, ransomware infections have taken to including pop culture references in their lock screens rather than just focusing on getting paid. This can be seen with a new ransomware discovered by Michael Gillespie that  pays homage to Voldemort, the villain in the popular Harry Potter series.

Nagini Lock Screen
Nagini Lock Screen

Named after Voldemort's pet snake named Nagini, this ransomware is currently under development and is designed only to work on a particular test system. What is interesting, is that instead of asking for a ransom payment in bitcoins, it is asking for users to enter a credit card number instead.

When viewing the strings in the executable, we find a few that are interesting. For example, the embedded PDB string shows that the developer who created this ransomware goes by the name Colosseum.

C:\Users\Colosseum\documents\visual studio 2013\Projects\Cryptolocker\Release\Cryptolocker.pdb

Furthermore, as this ransomware is currently in development mode it is only targeting the .doc, .docx, .ppt, .pptx, .xls, .xlsx, .bmp, .png, .jpg, .jpeg, .exe, and .pdf file extensions and only files found in the C:\Users\Colosseum\Desktop\files\ folder. Last, but not least, this ransomware looks for a file called C:\Temp\voldemort.horcrux, but the purpose of this file is currently unknown.

Files associated with the Nagini Ransomware


Registry entries associated with the Nagini Ransomware:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run "Voldemort" = "[path_to]\Nagini.exe"


SHA256: a1b0c47cc5d2ecb8ea634f436764c0b17c8ed59cc144739c77c069970642a102