Exorcist ransomware casts triple punishment for non-payment. CIS countries spared.


The SonicWall Capture Labs threat research team have observed reports of new ransomware named Exorcist.  It is reported to have surfaced over the past week on an underground Russian forum using the ransomware-as-a-service (RaaS) model with 30% commission retained by the creator.  The initial cost of file retrieval is $500 USD (in Bitcoin) but, increases by a factor of 3 if payment is not made within 48 hours.


Infection Cycle:


Upon infection, files on the system are encrypted and given a random six character ([A-Z][a-z]) extension eg. “.GyQUfe”.  The following image is displayed on the desktop background:


The malware drops the following files onto the system:

  • %APPDATA%\Local\Temp\boot.sys (0 bytes)
  • %APPDATA%\Local\Temp\msdt (0 bytes)
  • %APPDATA%\Local\Temp\d.bmp
  • GyQUfe-decrypt.hta (all dirs containing encrypted files)


d.bmp contains the image that is displayed on the desktop background.


GyQUfe-decrypt.hta contains the following message:


hxxp:// and hxxp://4dnd3utjsmm2zcsb.onion/pay lead to the following pages:


The infection is reported to the same webserver ( along with encrypted information:


Disassembling the code reveals the ability to disable various system recovery methods:


It also contains a list of processes to kill so that any related important files are no longer held exclusively open by such processes and can thus be encrypted:


Before infection, the malware performs a check to avoid encrypting systems in CIS (Commonwealth of Independent States) countries:


The malware states that the ransom fee will be tripled if payment is not made on time.  We confirmed this after checking back a few days later:


SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Exorcist.RSM_2 (Trojan)
  • GAV: Blackheart.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.