The Iran Computer Emergency Response Team Coordination Center (Iran CERTCC) has issued a security alert about a ransomware distribution campaign currently active in the country.
The alert warns users about Tyrant ransomware, a strain spotted by G Data security researcher Karsten Hahn last Monday, October 16.
According to Iran CERTCC, miscreants have spread versions of the Psiphon VPN app laced with Tyrant and are now trying to extort infected users for money.
|
|
|
Victims have 24 hours to pay the equivalent of $15. Tyrant distribution specifically targets Iran, as the ransom note is only available in Farsi and the ransomware uses two local payment processors — exchanging.ir and webmoney724.ir.
The Tyrant ransom note also features two contact methods, the email address rastakhiz@protonmail.com and Telegram username @Ttyperns.
The person behind this attack might not be aware that a cyber-espionage hacking group linked to the Iranian government — codenamed Rocket Kittens — has used a vulnerability to uncover and map out Telegram IDs to users' phone numbers back in the summer of 2016.
Tyrant ransomware part of the DUMB family
Dumb is also the word of the day when it comes to the Tyrant ransomware because Tyrant is a strain of the larger DUMB ransomware family.
Bleeping Computer founder and analyst Lawrence Abrams first spotted this ransomware in January 2017 and then identified a Polish variant in June 2017.
DUMB was considered a "joke" ransomware because its first variants used simplistic XOR encryption and saved the encryption key inside the encrypted file itself. The first DUMB ransomware version was so poorly coded that it self-decrypted when you closed the window showing the ransom note.
DUMB versions are also based on ransomware proof-of-concept code published on GitHub, later forked by others.
Researchers investigating if Tyrant is decryptable
Besides translating the ransom note to Farsi, the Tyrant ransomware appears to have suffered little modifications from its original source. Security expert MalwareHunter re-tested Tyrant and says the ransomware is decryptable in the same way as previous DUMB-based variants.
"A joke ransomware, without any protection (I mean obfuscation, pack, etc) used in live attack? Made my day," MalwareHunter jokingly told Bleeping Computer today.
Iran CERTCC analysts also spotted the same low coding quality. "Initial analysis suggests that this is the first version, or trial, of a larger attack because despite the encryption operation, sometimes the [ransomware] does not succeed in encrypting victim files, and moreover, despite the fact that there are many changes in the victim's system registry, it is not able to maintain its functionality after rebooting the system," the Iran CERTCC alert reads.
Besides the Tyrant ransomware alert, Iran CERTCC also issued a warning on the increased usage of RDP connections with weak credentials to install ransomware. Even if issued by Iran CERTCC, this warning should be heeded by organizations in all countries, as RDP has become a favorite method of installing ransomware in high-value enterprise environments across the world.
Article updated with the conclusion of MalwareHunter's tests.
Comments
AlphaDelta - 7 years ago
Hey there my dude, I'm the guy who wrote DUMB.
I wrote the original version of DUMB (which is contained almost entirely in the second commit) because there was a super lame rinky-dink AES ransomware PoC written by a 15 year old that pretty much exploded in popularity for no reason, so I decided to rewrite an exceedingly more dangerous ransomware PoC in the span of exactly an HOUR to prove that it wasn't really worth the level of popularity it gained (I mean, no malware proof of concept is unless it actually does something new, which neither of ours did save the CreateDesktop feature). It was sort of half serious half joke which I decided to go back to a day later and make it look a bit nicer (ie remove the part where you had to denounce your religion and agree Islam was the one true religion, which is also in the second commit, removed almost immediately in the fourth commit).
Anyways, the fact that people are actually unironically using DUMB as a base for their ransomware is, well, pretty DUMB. It's not meant to be something workable into a legitimate ransomware as much as it's just showing off the concept of CreateDesktop in a situation like this and the fact that it can be made from scratch in an hour.
Fun fact: The original name pitched in the office was "Don't Underestimate My Botnet", 'Botnet' was changed to 'Bongos' as part of an ongoing in-joke.