Instabot ransomware demands $490 in Bitcoin after 50% discount


The SonicWall Capture Labs threat research team have come across new ransomware known to the antivirus community as Instabot.  It is actively spreading and the webserver used by the operators is currently online at the time of writing.  The operators charge $980 in Bitcoin for file recovery but, also offer a 50% discount if payment is made within 72 hours.

Infection Cycle:

The malware uses the following icon:

The malware makes the following DNS request:


The malware reports the infection to a remote server.  This includes the public key:

Requests are made to a remote server to download additional malware.  Not all requests were successful:




The following files are added to the filesystem:

  • %APPDATA%\cef8b3be-77de-4842-b1ba-45fe8e197331\{original filename}.exe
  • %APPDATA%\456888e5-7040-4fd5-8f4b-c39f07380640\updatewin1.exe [Detected as: GAV: Instabot.RSM_7 (Trojan) ]
  • %APPDATA%\456888e5-7040-4fd5-8f4b-c39f07380640\updatewin2.exe [Detected as: GAV: Instabot.RSM_8 (Trojan) ]
  • _readme.txt (copied into directories where files were encrypted)

Encrypted files are given a .sqpc extension.

_readme.txt contains the ransom message shown below.  It demands $490 USD for file recovery after a 50% discount:

We reached out to the operators via email and received the following response:

In the email message, a link to a video demonstrating how to use the decryption tool is provided.  The following are some screenshots from the video:

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Instabot.RSM_7 (Trojan)
  • GAV: Instabot.RSM_8 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.