Rekensom Ransomware actively spreading in the wild


SonicWall Capture Labs Threat Research Team recently found a new RekenSom Ransomware.

Injection Cycle.

At the onset of execution, a named mutex “Rekensom” is created to ensure only one instance of the sample is running.

To get the most CPU cycles, it sets thread priority to highest.

Adding an entry to the “RunOnce” in the Registry or startup folder will cause the program referenced to be executed when a user logs in.

This particular variant targets logged-in user’s Desktop folder. Files with specific file extensions from the Desktop folder are chosen for encryption.

It uses symmetric encryption algorithm AES for encrypting the target files. Plaintext buffer is populated first with the file’s content followed by the name of the file which is being encrypted

Infected files are later renamed to “Encrypted{variable}.som”. The variable component only contains ‘-‘ character and the length could vary from 6 to 12 characters.
Because of this code flaw, only ‘6’ files could be recovered as other files would be overwritten.

Waiting time of 500 ms has been added before the next file is targeted, this could help evade some behavioral detection technologies.

And once all the file are encrypted it displays the below note.

Some part of the code has been used from the OpenSource Ghack ransomware project, which is still available on GitHub.

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: MalAgent.H_16015 (Trojan)

This threat is also detected by SonicWALL Capture ATP.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.