TrumpLocker makes you pay to bring down its cyber walls (Mar 03, 2017)
It has been clear that Ransomware is here and is not going away anytime soon. This week, SonicWALL Threats research team has received reports of yet another variant calling itself the Trumplocker. Cybercriminals are clearly taking advantage of all the buzz going on around in the news about the current US President’s administration and are using a very common ploy of customizing malware to capitalize on current events.
Infection Cycle:
This Trojan uses the following file properties:
Upon execution, it makes the following DNS query:
And establishes a connection to a remote server:
It also drops the following files:
- %Desktop%RansomNote.exe [Detected as GAV: Trumplocker.A (Trojan)]
- %Desktop%What happen to my files.txt
The file “What happen to my files.txt” contains the instructions on how to pay to get your files back. The note was rather long and reads:
--- The Trump Locker --- Unfortunately, you are hacked. 1. What happened to my files? Your personal files, including your photos, documents, videos and other important files on this computer, have been encrypted with RSA-4096, the strongest encryption algorithm. RSA algorithm generates a public key and a private key for your computer. The public key was used to encrypt your files a moment ago. The private key is necessary for you to decrypt and recover your files. Now, your private key is stored on our secret Internet server. And there is no doubt that no one can recover your files without your private key. For further information about RSA algorithm, please refer to https://en.wikipedia.org/wiki/RSA_(cryptosystem) 2. How to decrypt my files? To decrypt and recover your files, you have to pay #ramt# US Dollars for the private key and decryption service. Please note that you have ONLY 72 HOURS to complete your payment. If your payment do not be completed within time limit, your private key will be deleted automatically by our server. All your files will be permanently encrypted and nobody can recover them. Therefore, it is advised that you'd better not waste your time, because there is no other way to recover your files except making a payment. 3. How to pay for my private key? There are three steps to make a payment and recover your files: 1). For the security of transactions, all the payments must be completed via Bitcoin network. Thus, you need to exchange #ramt# US dollars (or equivalent local currencies) to Bitcoins, and then send these Bitcoins (about #btc# BTC) to the following address. 1N82pq3XovKoJYqUmTrRiXftpNHZyu4jyv 2). Send your personal ID to our official email: TheTrumpLocker@mail2tor.com Your personal ID is: #id# 3). You will receive a decryptor and your private key to recover all your files within one working day. 4. What is Bitcoin? Bitcoin is an innovative payment network and a new kind of money. It is based on an open-source cryptographic protocol that is independent of any central authority. Bitcoins can be transferred through a computer or a smartphone withour an intermediate financial institution. 5. How to make a payment with Bitcoin? You can make a payment with Bitcoin based on Bitcoin Wallet or Based on Perfect Money. You can choose the way that is more convenient for you. About Based on Bitcoin Wallet 1) Create a Bitcoin Wallet. We recommend Blockchain.info (https://blockchain.info/) 2) Buy necessary amount of Bitcoins. Our recommendations are as follows. LocalBitcoins.com -- the fastest and easiest way to buy and sell Bitcoins. CoinCafe.com -- the simplest and fastest way to buy, sell and use Bitcoins. BTCDirect.eu -- the best for Europe. CEX.IO -- Visa / MasterCard CoinMama.com -- Visa / MasterCard HowToBuyBitcoins.info -- discover quickly how to buy and sell Bitcoins in youWr local currency. 3) As mentioned above, send about #btc# BTC (equivalent to #ramt# USD) to our Bitcoin receiving address. 4) As mentioned above, and then, send us your personal ID via email, you will receive your private key soon. About Based on Perfect Money 1) Create a Perfect Money account. (https://perfectmoney.is) 2) Visit to PMBitcoin.com. (https://pmbitcoin.com/btc) input our Bitcoin receiving address in the "Bitcoin Wallet" textbox. input #ramt# in the "Amount" textbox, the amount of Bitcoin will be calculated automatically. click "PAY" button, then you can complete you payment with your Perfect Money account and local debit card. 6. If you have any problem, please feel free to contact us via official email. Best Regards The Trump Locker Team
The trojan changes the desktop wallpaper of the victim machine and displays a warning with instructions on how to pay.
It then executes the file RansomNote.exe which displays a splash page with the photo of the US President. A few seconds later it then switches to another warning page and again with instructions on how to pay.
To ensure that this warning page is displayed upon reboot, it adds the following key to the registry:
- HKCUSoftwareMicrosoftWindowsCurrentVersionRunTheTrumpLocker %Desktop%RansomNote.exe
Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.
SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:
- GAV: Trumplocker.A (Trojan)
