Wessy Ransomware Bears Striking Similarities to Uransomware


The SonicWall Capture Labs threat research team has been tracking ransomware that encrypts files and claims to charge only $100 for file retrieval.  It is written in .NET and obfuscated using Ezirizs .NET Reactor.  However, it is trivial to de-obfuscate and decompile by using open-source tools.  It is believed that this malware is from the same family as Uransomware (which we discussed in a previous blog post). Uransomware did not use obfuscation, but the code is very similar.

Infection Cycle

The code contains a region check which queries the current input language:

Figure 1: Query

A message box stating “Forbidden Country” is shown on the desktop if the specified region is detected and the program exits:

Figure 2: Forbidden Country message

If this region is not detected, the malware encrypts files on the system and appends “.wessy” to the filenames.

The code is obfuscated using software called Ezirizs .NET Reactor.  This is used to prevent disassembly of the malware and hinder reverse engineering:

Figure 3: Obfuscation

The obfuscation is easy to reverse by using an open-source tool called NETReactorSlayer by SychicBoy on GitHub.  A single command de-obfuscates the code and another single command using ILSpy decompiles it.  After this, the malware’s underlying functionality is revealed.

A ransom note is present in the deobfuscated code:

Figure 4: Ransom note

This message is written to READ_ME.txt:

Figure 5: READ_ME.txt

READ_ME.txt is dropped into all directories that contain encrypted files.

The following image is displayed on the desktop background:

Figure 6: Desktop background image

The malware contains a list of files to ignore:

Figure 7: List of files to ignore

The following file types are targeted for encryption:

Figure 8: Encryption targets

The malware contains a list of targeted directories:

Figure 9: Targeted directories

In order to disable system backups, the following applications are killed if they are running on the system:

Figure 10: Process kill list

The malware disables multiple system recovery measures:

Figure 11: Malware disabling recovery measures

We tried to reach out to the malware operator via the uTox address stated in the ransom note, but we received no reply.

SonicWall Protections

SonicWall Capture Labs protects against this threat via the following signature:

  • GAV: Wessy.RSM(Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.