Severity: 8192
Message: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead
Filename: core/Router.php
Line Number: 114
For those who may not be aware, Windows PowerShell is a scripting language from Microsoft designed to help system administrators automate some the tasks required to run a Windows network. It’s included with Windows 7 and later but can be installed on earlier Windows operating systems too. This latest ransomware uses this Windows PowerShell program to perform file encryption using "Rijndael symmetric key encryption". This variant also targets Russian users with a ransom message displayed in the Russian language. Here's how this ransomware works: It arrives as spam containing an HTA file attachment. The HTA file contains a pair of Base64 encoded strings. These are decoded to two scripts that do the bulk of the ransomware’s work. The first script checks whether the system has Windows PowerShell installed or not. If not, it downloads a copy from a Dropbox.com account and installs it.
The second Base64 decoded string is the PowerShell script that performs file encryption. It uses "Rijndael symmetric key encryption" using PowerShell’s CreateEncryptor() function.
As with most file-encrypting ransomware, this one chooses files that may contain information of value to the victim. In this case, an extensive list of 163 file types ranging from documents and spreadsheets to pictures and videos.
The ransom demand takes the form of a text file named READ_ME_NOW.txt, created in each encrypted file folder which contains encrypted files. The message is in Russian and instructs the victim to visit the webpage shown below.
Translation:
If the user uploads the READ_ME_NOW.txt file as instructed they will be taken to a second page of instructions.
Translation:
At this point the true desire of the attackers becomes apparent - and costly - a 10,000 Ruble charge for undoing the damage they have done. (At today's rate 10,000 Rubles converts to about £217, €250, or $326 USD. Not exactly 'priced to sell'.) We have also seen two types of encryption key used by this ransomware.
But there's good news. In both cases the encryption key can be recovered without paying for it. In fact, this can be done using the same PowerShell tool that the attackers used. The first, UUID, key can be retrieved with this command.
The second with:
Thus the encryption keys can be relatively simple to retrieve by anyone who would rather not pay 10,000 Rubles/£217/€250/$326 to get their files back. We always advise against paying the ransom to the criminals behind ransomware. Even if you pay there’s no guarantee that they will uphold their end of the bargain. It’s more likely that you’ll be left with a bunch of encrypted files and lighter wallet. Sophos customers, take note that our security products detect these variants as Troj/Ransom-NY. And if you want to know more about the inner-workings of ransomware, why not take a gander at our new technical paper "Ransomware: Next Generation Fake Antivirus" - no registration or Rubles required...
No Replies
|