Uransomware encrypts and leaves victims stranded
The Sonicwall Capture Labs threat research team has been tracking a new ransomware family known as Uransomware. This ransomware appears to be in early development. The sample we analyzed does not ask for payment for file retrieval and does not provide any instructions or operator contact information, typical for most ransomware. It is written in .NET and contains no obfuscation which makes it trivial to decompile and analyze.
Infection Cycle:
After disassembling the malware code we can see the intended program flow: 
After encryption, the malware runs dle.bat to remove traces of itself: 
The malware contains code to inject itself into other processes. However, this was not seen during our analysis. Instead, an embedded exe file is written to disk after being base64 decoded: 
It writes the file to C:\Temp\uransomware20.exe and executes it: 
This malware module spawns multiple copies of svchost.exe and encrypts files: 
Files are encrypted then base64 encoded with the public key wrapped in an xml-like tag at the beginning of the file: 
After file encryption, read_it.txt is written to all directories where files were encrypted. It contains the following text:
The names of encrypted files are given a .markus extension. After disassembling uransomware20.exe we can see a list of file extensions targeted for encryption:
We can also see a list of targeted directories: 
It contains a function called spreadIt() which targets attached storage media and network drives:
It also contains functions to disabled system recovery and delete backups: 
The malware contains another large array of base64 encoded bytes: 
After decoding, this turns out to be a jpeg image file: 
This image file is written to disk and displayed as the desktop background wallpaper:
SonicWall Capture Labs provides protection against this threat via the following signature:
GAV: Uransomware20.RSM (Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.
