Master Ransomware nets $168K so far!

By

The SonicWall Threats Research team has been monitoring a ransomware threat known as Master Ransomware. This ransomware is a variant of BTCWare. The operation of this ransomware is very simple and follows the classic extortion tactic: encrypt files and demand a ransom to get them back. The important thing to note however, is that there is now a rising trend for ransomware to charge even more money for file decryption. In this case, 1 BTC (currently $2701 USD) is required for file decryption.

Infection Cycle:

Upon infection, the Trojan displays the following text on the desktop background:

It also displays the following text file:

The Trojan adds the following key to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun DECRYPTINFO %AppData%Roaming#_RESTORE_FILES_#!.inf

The Trojan traverses all directories on the system and encrypts files in those directories. It leaves #_RESTORE_FILES_#!.inf in each directory and renames each encrypted file to {original filename}.master. This directory traversal includes any attached network drives and attached external media storage.

It also drops #_RESTORE_FILES_#!.inf onto the desktop:

#_RESTORE_FILES_#!.inf contains a unique ID and instructs the user to send an email with this ID to crypthelp@qq.com in order to receive instructions to decrypt files.

We followed these instructions and received the following email:

The email instructs the user to send 1 BTC ($2701 USD at the time of writing) to 1HAvKnunqW8xPjEwRYJjMeYnA5sPCyBvAB.

Although this ransomware is very simple, its operators have been very successful and have netted 62.2 BTC so far. This amounts to $168,000 at the time of writing this alert:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Master.RSM (Trojan)
  • GAV: Master.RSM_2 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.