A new DetoxCrypto Ransomware variant called the Nullbyte Ransomware has been discovered by Emsisoft security researched xXToffeeXx that pretends to be the popular Pokemon Go bot application called NecroBot, When infected, the ransomware will encrypt a victim's files and then demand .1 bitcoins to decrypt the files. Thankfully, Michael Gillespie was able to create decryptor so that victims can get their files back for free.
This ransomware is distributed from a Github project that pretends to be a rebuilt version of the NecroBot application in the hopes that people will download it thinking it was the legitimate application.
When someone downloads and executes the application it will show the standard NecroBot interface asking for the victim to login.
If any login info, real or fake, is entered and the Login button is pressed, the program wil pretend to try and login to the NecroBot servers. In the background, though, the ransomware will steal the entered credentials by uploading them to the command and control server and then begin to encrypt a victim's files.
When finished, the ransomware will display its lock screen that prompts a user to pay .1 bitcoins to decrypt the files.
According to further analysis by MalwareHunterTeam, the Nullbyte ransomware will encrypt files using AES encryption and then append the _nullbyte extension to encrypted files. For example, test.jpg would become test.jpg_nullbyte when the file is encrypted.
When encrypting files, the Nullbyte ransomware will encrypt any file located in the following folder:
%USERPROFILE%\Documents %USERPROFILE%\Downloads %USERPROFILE%\Favorites %USERPROFILE%\Pictures %USERPROFILE%\Music %USERPROFILE%\Videos %USERPROFILE%\Contacts %USERPROFILE%\Desktop
While running, this ransomware will also terminate the chrome, cmd, taskmgr, firefox, iexplore, and opera processes, This is done to make it difficult to remove the ransomware or search for help on the web.
Last, but not least, the ransomware will generate a screenshot of the currently active Windows screens and upload it to the ransomware's command & control server. At this time, it is unknown how the screenshot is used, but it could be used for possible information theft or blackmailing.
Below is a screenshot of the decryptor decrypting files encrypted by this ransomware.
%UserProfile%\Desktop\DecryptInfo.exe %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost32.exe %UserProfile%\Documents\bg.jpg %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DecryptInfo.exe %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enhost32.exe
https://tools.feron.it/php/ip.php ftp://ftp.taylorchensportfolio.netai.net/DECRYPTINFO-LAUNCHED ftp://ftp.taylorchensportfolio.netai.net/DECRYPT-REQUEST