Alma Ransomware delivered via RIG Exploit Kit (March 17, 2017)

The Sonicwall Threat Research Team are still observing an steady increase of ransomware. A ransomware variant known as Alma has been observed being delivered via the RIG Exploit Kit to unsuspecting users. Exploit kits such as RIG are often hidden on compromised webservers and are used as part of a drive-by technique to infect visitors. Alma is yet another ransomware variant using the usual techniques for extorting money from infected users.

Infection Cycle:

The authors of the ransomware have tried to make the executable seem genuine by indicating that it was created by Apple Inc.:

The Trojan makes the following POST request to a hidden server on the TOR network:

The request is encoded using base64 encoding. The decoded message is as follows:

p=OZZHTu0LitDed546XtOj1&a=Windows Defender&t=1489618916&r=hgshsgfh&o=6.3.9600&v=d42889198027beae49&s=2382&l=1033&e=vmnz&u=USER

OZZHTu0LitDed546XtOj1 is the encryption key used to encrypt/decrypt files. d42889198027beae49 is a unique user infection ID. The rest of the information contains data on any installed antivirus software, Windows version number, the current user and the file extension used for encrypted files.

Files with the following extensions are targeted for encryption:

.1cd, .3ds, .3gp, .accdb, .ai, .ape, .asp, .aspx, .bc6, .bc7, .bmp, .cdr, .cer
.cfg, .cfgx, .cpp, .cr2, .crt, .crw, .csr, .csv, .dbf, .dbx, .dcr, .dfx, .dib
.djvu, .doc, .docm, .docx, .dwg, .dwt, .dxf, .dxg, .eps, .htm, .html, .ibank
.indd, .jfif, .jpe, .jpeg, .jpg, .kdc, .kwm, .max, .md, .mdb, .mdf, .odb, .odc
.odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdf, .pef, .pem, .pfx, .php
.pl, .png, .pps, .ppt, .pptm, .pptx, .psd, .pst, .pub, .pwm, .py, .qbb, .qbw
.raw, .rtf, .sln, .sql, .sqlite, .svg, .tif, .tiff, .txt, .vcf, .wallet, .wpd
.xls, .xlsm, .xlsx, .xml

Upon reverse engineering the executable, the read, encrypt, write and delete functions can been seen without much effort:

The following image is displayed onscreen, giving instructions on how to recover encrypted files. At the time of writing the server had been removed (possibly by authorities) from the TOR network.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: AlmaLocker.A (Trojan)

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.