desuCrypt variant named InsaneCrypt spotted in the wild


The Sonicwall Capture Labs Threats Research team have come across a variant of the DesuCrypt ransomware called InsaneCrypt. This variant uses RC4 encryption and encrypts files immediately upon execution. Unlike earlier ransomware, there are no threatening countdown timers and ransom payments amounts immediately presented to the victim. Instead, as is the growing trend with most ransomware today, the victim must communicate with the operator via email for further instructions.

Infection Cycle:

Upon infection, the following prompt is shown as files are being encrypted:

The Trojan makes the following changes the file system:

  • encrypts files and appends .[].insane to their names
  • writes How_decrypt_files.txt (in every directory containing encrypted files)

The Trojan uses RC4 Public-key cryptography. The public key that is used to encrypt files can be find in the executable module:

As well as the filesystem activity mentioned above the Trojan deletes any Shadow copies on the system to prevent file restoration. It also searches for any attached external drives:

How_decrypt_files.txt contains the following information:

Hello!If you want restore your files write on email -

We contacted and received the following response:

At the time of writing 0.2 BTC is worth $1713 USD.

We submitted a file for proof of decryption and received the following response:

Assuming that the screenshot was taken a few minutes before being sent, it is interesting to note that the attacker may be operating in the PST timezone.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • InsaneCrypt.RSM
  • InsaneCrypt.RSM_2
  • BTCWare.RSM_4


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.