Malware researchers at Check Point Technologies have spotted a new “offline” ransomware that is targeting Russian users. The principal characteristic of this strain of malware is that it doesn’t need to communicate with a command and control (C&C) server in order to encrypt files.
This feature complicates the analysis of security firms because it is not possible to detect the communication with the control centers.
The offline ransomware has been around since at least June 2014, the experts highlighted that the threat actors behind the campaign have already released numerous variants of the malware.
The last version of the offline ransomware (CL 220.127.116.11) has been released in August 2015, the threat is well known to the principal security firms that detected it with various names (Ransomcrypt.U [Symantec], Win32.VBKryjetor.wfa [Kaspersky] and Troj/Ransom-AZT [Sophos].
Once the ransomware infects the victim’s PC, it encrypts his files and changes the desktop background displaying a message in the Russian language that includes the instructions to recover the files.
“Your files are encrypted, if you wish to retrieve them, send 1 encrypted file to the following mail address: Seven_Legion2@aol.com
ATTENTION!!! You have 1 week to mail me, after which the decryption will become impossible!!!!”
All the files on the machine infected by the CL 18.104.22.168 version, the one analyzed by the researchers at Check Point Technologies, were encrypted, and each one renamed to the following format:
email-[address to contact].ver-[Ransomware internal version].id-[Machine identifier]-[Date & Time][Random digits].randomname-[Random name given to the encrypted file].cbf
email-Seven_Legion2@aol.com.ver-CL 22.214.171.124.id-NPEULAODSHUJYMAPESHVKYNBQETHWKZOBQFT-10@6@2015 9@53@19 AM5109895.randomname-EFWMERGVKYNBPETHVKZNBQETHWKZNB.RGV.cbf
Victims are asked to pay a ransom between $300 and $380, depending on how fast they perform the payment, to receive a decryption tool and the key needed to recover their files.
The offline ransomware is written in Delphi and uses some Pascal modules, a choice not common for malware developers. The experts explained that the file-encrypting capabilities implemented by the offline ransomware are highly efficient, it is nearly impossible to recover the files once the threat has encrypted it.
Check Point has provided the following description of the file encryption process:
The threat actors used several email addresses in their campaign, most of them AOL and Gmail accounts. It is interesting to note that the unique account related to a Russian email provider, firstname.lastname@example.org, is also one of the emails associated with the original version of the offline ransomware. The address was no more used by crooks after the version 126.96.36.199.
Ransomware are very profitable for cyber criminals, according to security researchers of the Cyber Threat Alliance which have conducted an investigation into the cybercriminal operations leveraging CryptoWall ransomware, criminals behind CryptoWall 3.0 Made $325 Million.
On a weekly basis, new malware appears in the wild, recently the fourth version of the popular Cryptowall was detected online and new ones are expected to come.
(Security Affairs – Offline Ransomware, cybercrime)