Amnesia ransomware continues high payment trend
The SonicWall Capture Labs Threat Research team have recently observed a ransomware threat known as Amnesia. As predicted previously by Sonicwall, the trend of increasing the ransom payment demand has continued. This time last year, ransom demands only averaged a few hundred US dollars for file decryption. Most ransomware today have increased this amount to around 1 Bitcoin ($2629 at the time of writing this alert) as is the case here with the Amnesia ransomware.
Infection Cycle:
The Trojan makes the following DNS request:
iplogger.info
The Trojan adds the following files to the filesystem:
- %APPDATA%sevnz.exe (copy of original file) [Detected as GAV: Amnesia.RSM (Trojan)]
- IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT (copied into every directory containing encrypted files)
All files that have been encrypted use the following filenaming convention:
- {encrypted filename}.[unlocking.guarantee@aol.com]
The Trojan adds the following keys to the registry, the first of which is a unique ID for the infection:
- HKEY_CURRENT_USERSoftwareaIYqDubteCKSoK temp “V4IAAAAAAADC0bNIxKaIH7JYV6699fOJvEi=G+RF6TCJ4cJBvLhWQGV+654JtVSw9RvdA56j7BpPGG32Za88GKSdzyey6Po=U+nGtFhb=e7wiDqx2fcJ6T0TZmNts3=uKH88QK1UWGHjigPKSRB4PWg3jiKTMZnFR7NTeH1momxGZguqRAzVlOh592AargphGyo+5o0bx39Uoh=bwM0O3m98fsAejkmm2RUQQYJ7SaBQd2AYI3SCM3JiL4uSCVPlK9EQbhCdhjn18jyDNmVp=nuK5YLLhISwFc5R=1=aZDM16W+xB0orn3okLFvs5LNGDrwEOXIXtUie3KKPgemZolrAZ4v7K0ZKLtJTu6eOY1PBa1hRmDMN1AKj2eSiZLtYSreoRC1KgdcK9fDoJfZL2sr9vdxMwogKCGvnA21YGVVlLLagjp35=ybaIdWlP1A95msz7SyZLpFs6WoJTcvurViRPGgWsUEpMbIy=lV+EJ0T0U1gDSydtsuffYcxyDk2f2rJCr5eIxOrwlIJlIhkDfEcuO=NKfkJZ6efwNwAXIeMXQfUdpg5k2EUu+R6sWOBcnnQkWUXSpZGUildgjL0OS5TXsCs60oLHMcyuMzip2sq7287OnFB8kz7javL9LcxUn2p17wAb7tW2wX3dKRhzL0Lqp5O2Z7uAiOEqmwYES3Ddjlh8gw2vVL4l1Wz7p92=divAAUeWLUte=J2dShKCLJK6ApQ4ct2w6gAfmdSPtc6Ko8dnujq1f6xcOVqTT8FBpqfBy6jd+8TwC1y0ndtHA6+sFBhFD4HDZcvIlguChgzRyK5TKK7l4”
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce aIYqDubteCKSoK “%APPDATA%sevnz.exe”
The Trojan can be seen utilizing mshta.exe in order to run javascript as part of its infection process:
The infection is reported to the operators by using iplogger.info. The response is a PNG file containing a single pixel:
The following text file is displayed on the screen:
We received the following email after following the instructions in the text file:
As there was no transaction history for the Bitcoin address (12X4P7HVpuhP535uTkETecGvZrV7A7T3oL), it is safe to assume that multiple Bitcoin addresses are used rather than a single address.
The Trojan disabled our ability to reboot the system when run on WindowsXP:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: Amnesia.RSM (Trojan)
- GAV: Amnesia.RSM_2 (Trojan)
