RanserKD ransomware uses Imgur to store infection data (Sept 2nd, 2016)


Ransomware continues its steady upward trend and it seems that almost daily there is a new Ransomware family or variant spreading across the internet. The RanSerkD family is fairly recent and is one of the rare families that use large hosting sites such as DropBox or in this case Imgur as part of its infection cycle.

Infection Cycle:

The Trojan uses the following icon:

The Trojan reports infection over UDP to a variety of IP addresses in the 37.x.x.x block:

It also uses an image album hosted on imgur.com to keep track of infections:

The files uploaded to Imgur use valid PNG file format headers in order to be accepted by Imgur’s servers. The rest of the file contains the infected system information and details on files that were encrypted:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%Local SettingsTempOyowVgCc.exe [Detected as GAV: RanSerKD (Trojan)]
  • %USERPROFILE%Local SettingsTempuoislYbV.html
  • %USERPROFILE%Recent!Recovery_aV26PK.html.lnk
  • %USERPROFILE%Recent!Recovery_aV26PK.txt.lnk
  • %USERPROFILE%Start MenuProgramsStartupFKsDUFe5.lnk

The Trojan encrypts various files on the system and appends “.cry” to their filenames. After encrypting files and deleting desktop icons the following files are dropped onto the desktop:

They contain the following message:

The message refers to a link hosted on the TOR anonymity network. The link provides information on how to pay for retrieving the encrypted files:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: RanSerKD (Trojan)
    • Security News
      The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.