Ransomware uses new trick to make believable threats (April 5th, 2013)
Dell SonicWALL Threats Research team received reports of a Ransomware that threatens the user to pay a huge amount because Department of Homeland Security and FBI have found illegal content on the system. This may sound like a common trait by Ransomwares, but this sample showed a unique characteristic that separates it from others. This Ransomware receives a list of websites from the server and checks if the victim has browsed a website from this list. The lockscreen showed to the user will highlight the visited website in an effort to make the threat more believable.
Infection Cycle:
Upon execution, the Malware creates a copy of itself and drops it at this location:
- %USERPROFILE%Local SettingsApplication DataKBxxxxxxxKBxxxxxxx.exe (7 random digits)
The following changes are made to the registry to show the lockscreen to the user as soon as the system starts:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunKBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxxKBxxxxxxx.exe”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRunKBxxxxxxx “%USERPROFILE%Local SettingsApplication DataKBxxxxxxxKBxxxxxxx.exe”
Run keys are not executed in Safe Mode by default so the Malware modifies the Winlogon Shell key in an attempt to load it even in Safe Mode by modifying the following key:
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell “Explorer.exe, “%USERPROFILE%Local SettingsApplication DataKBxxxxxxxKBxxxxxxx.exe””
It allows websites to execute scripts such as ActiveX, Java or another binary and it disables the built-in popup blocker by modifying the following registry keys:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones12300 “00000000”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones31206 “00000000”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones31809 “00000003”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones32300 “00000000”
To make removal even more difficult, it disables the Task manager and the Registry editor:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr “00000001”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableRegistryTools “00000001”
The Ransomware tries to search and disable AV solutions on the victim system. During our analysis we observed the Ransomware tried to disable the following:
- Bullguard
- Comodo
- Dr.Web
- TrustPoint
The communication between Ransomware and the server can be summarized as follows:
- Informs the server about the infection on a machine using a Unique Identification for every machine
- Gets a list of explicit websites
- Sends the user’s Computer Name that would be used as part of the lockscreen
- Checks if the user’s browser history has any website that matches the URLs from the list
- Render the lockscreen on the users system highlighting the website which matched from the list
- During our analysis no website was mentioned on the lockscreen message if no URL from our computer’s browser history was found matching any of the websites from its list.
This can be seen as a new trick employed by Ransomwares to make the threat more believable for the victim. Most Ransomwares display a lockscreen with a generic message to the user, but pointing a specific website visited by the user may convince him into actually believing that the threat is real.
We expect to see similar customizations to be adopted by different Ransomwares in the near future.
Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: Kovter.A (Trojan)
