Payola ransomware operator demands remote access to PC


The Sonicwall threat research team have recently been tracking a new ransomware family called Payola. This family of ransomware appeared in late August 2023. It is written in .NET and is easy to analyze as it contains no obfuscation. Early variants would append ".Payola" to the names of encrypted files but the current variants use 5 random alphanumeric characters. During a direct conversation with the malware operator, remote access to our system was requested in order to retrieve files.

Infection Cycle:

The malware uses the following icon:

Upon execution, the following message is shown on the desktop background:

Files on the system are encrypted. Each encrypted file is given a 5 character alphanumeric extension appended to its name eg. image.jpg.PTebc.

The following registry entry is made:

  • HKCU\Microsoft\Windows\CurrentVersion\Run Readme {run location}

A file named README.html is dropped into directories where files where encrypted. It contains the following message:

The code is written in .NET and is trivial to decompile. We can easily see its main function and the intended program flow:

The RSA public key and salt values can be seen:

The malware contains a list of programs that will be killed if running:

A list of targeted directories and file types are listed in the code:

We followed the instructions in the ransom note and got in touch with the operator. We had the following conversation via email where the operator demanded remote access to our system using Anydesk:

SonicWall Capture Labs provides protection against this threat via the following signature:

GAV: Payola.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.