desuCrypt variant named InsaneCrypt spotted in the wild
The Sonicwall Capture Labs Threats Research team have come across a variant of the DesuCrypt ransomware called InsaneCrypt. This variant uses RC4 encryption and encrypts files immediately upon execution. Unlike earlier ransomware, there are no threatening countdown timers and ransom payments amounts immediately presented to the victim. Instead, as is the growing trend with most ransomware today, the victim must communicate with the operator via email for further instructions.
Infection Cycle:
Upon infection, the following prompt is shown as files are being encrypted:
The Trojan makes the following changes the file system:
- encrypts files and appends .[insane@airmail.cc].insane to their names
- writes How_decrypt_files.txt (in every directory containing encrypted files)
The Trojan uses RC4 Public-key cryptography. The public key that is used to encrypt files can be find in the executable module:
As well as the filesystem activity mentioned above the Trojan deletes any Shadow copies on the system to prevent file restoration. It also searches for any attached external drives:
How_decrypt_files.txt contains the following information:
Hello!If you want restore your files write on email - insane@airmail.cc
We contacted insane@airmail.cc and received the following response:
At the time of writing 0.2 BTC is worth $1713 USD.
We submitted a file for proof of decryption and received the following response:
Assuming that the screenshot was taken a few minutes before being sent, it is interesting to note that the attacker may be operating in the PST timezone.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- InsaneCrypt.RSM
- InsaneCrypt.RSM_2
- BTCWare.RSM_4
