Ransomware asking for nudes instead of bitcoins


The SonicWall Capture Labs Threat Research team receives reports of ransomware daily and new strains seem to pop up everyday. This week we analyzed this malware called NRansom. But unlike most of the ransomwares we have seen in the past, NRansom is asking its victim to send nude pictures instead of demanding payment in cryptocurrency.

Infection Cycle:

Upon execution, it drops the following files in the temp directory:

  • %temp%/***.tmp/nransom.exe [Detected as GAV: NRansom.RSM (Trojan) ]
  • %temp%/***.tmp/Interop.WMPLib.dll (non-malicious file: Windows Media Player control library)
  • %temp%/***.tmp/AxInterop.WMPLib.dl (non-malicious file: Windows Media Player control library)
  • %temp%/***.tmp/Tools/your-mom-gay.mp3 (non malicious audio file)

It then spawns cmd.exe to execute nransom.exe file:

What is unique about this ransomware is that it demands the victim to send at least 10 nude pictures in exchange for an unlock code.

We found that it plays the audio file that it created in the temp directory in a loop. It is the music called Frolic by the artist, Luciano Michelini.

Although during our analysis, this malware did not really encrypt any of the files in the machine, so it appears to be a hoax.

Nevertheless, because of the prevalence of these types of malware attacks, we still strongly urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: NRansom.RSM (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.