NewShell ransomware spotted in the wild
The SonicWall Threats Research team observed reports of a new variant family of NewShell Ransomware [GAV: NewShell.RSM] actively spreading in the wild.
NewShell encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.
![](http://software.sonicwall.com/gav/NewShell.RSM_files/image001.png)
Infection Cycle:
The Trojan adds the following keys to the Windows registry startup:
![](http://software.sonicwall.com/gav/NewShell.RSM_files/image002.png)
![](http://software.sonicwall.com/gav/NewShell.RSM_files/image003.png)
Once the computer is compromised, the malware copies its own executable file to C:tmp folder and runs following commands:
![](http://software.sonicwall.com/gav/NewShell.RSM_files/image004.png)
![](http://software.sonicwall.com/gav/NewShell.RSM_files/image005.png)
The malware downloads following image from its own server and set it as backgroud wallpaper.
![](http://software.sonicwall.com/gav/NewShell.RSM_files/image006.png)
![](http://software.sonicwall.com/gav/NewShell.RSM_files/image007.png)
The Malware encrypts all personal documents and files it shows the following webpage:
![](http://software.sonicwall.com/gav/NewShell.RSM_files/image008.png)
![](http://software.sonicwall.com/gav/NewShell.RSM_files/image009.png)
It demands that victims pay using Bitcoin in order to receive the decryption key that allows them to recover their files.
The malware adds ‘.enc’ extension all target files.
![](http://software.sonicwall.com/gav/NewShell.RSM_files/image010.png)
Command and Control (C&C) Traffic
NewShell performs C&C communication over HTTP protocol.
The malware sends HTTP request to its own C&C server with following formats, here is an example:
![](http://software.sonicwall.com/gav/NewShell.RSM_files/image011.png)
SonicWall Gateway AntiVirus provides protection against this threat via the following signatures:
-
GAV: NewShell.RSM (Trojan)