Lawrence Abrams, for Bleeping Computer, describes how the SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension.
The article describes ransomware discovered by EmsiSoft’s xXToffeeXx, distributed as spam attachments containing WSF (Windows Script File) objects. The WSF script pulls down images containing embedded Zip files. Abrams reports that the ‘WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf.’
VirusTotal searches today indicate that detection is rising of the image file for which a hash is provided, but still lower than the detection rate for the executable, which the majority of mainstream security products now detect. The JPGs are not directly harmful, but the embedded Zip file contains the malicious sync.exe executable. Detection of the WSF file for which a hash is provided is also lower than for the executable.
There’s no free decryption for affected data at this time.
IOCs, filenames etc. are appended to the Bleeping Computer analysis.
Emsisoft’s CMO Holger Keller contacted me to point out that the company is running a series of ‘Spotlight on Ransomware’ articles. I haven’t had a chance to look at them properly, but the company does useful work on providing ransomware decryptors and you may well find the articles of use and interest. Added to the RANSOMWARE RECOVERY AND PREVENTION page.
The first two articles are:
- Spotlight on Ransomware: Common infection methods – the writer says: ‘Malware writers and attackers use a variety of sophisticated techniques to spread their malware. There are three commonly used ransomware infection methods that will be explored in this post; malicious email attachments and links, drive-by downloads and Remote Desktop Protocol attacks. It is our hope that we can help you to focus on protecting the areas most likely to be compromised by cybercriminals and to reduce your risk of infection, starting right now.’
- Spotlight on Ransomware: How ransomware works – the writer says: ‘In Part Two, we will explore what happens once you’ve made that unfortunate click on a link or document, and what the ransomware does to your system to take control.’
Emsisoft gives a brief description of ransomware written in AutoIt that imitates Locky, but not very well, apparently. At any rate, Emsisoft also offers a decrypter.
I’ve mentioned before that Bleeping Computer is a resource worth checking when faced with a ransomware problem. Emsisoft recently published an interview with Lawrence of Bleeping Computer – Behind the scenes of a free PC troubleshooting helpsite: Interview with BleepingComputer – that you might find of interest, as it specifically includes references to ransomware.
Link added to resource page.
Wosar points out that in theory at least, this malware could easily be repackaged for OS X and Linux:
Das sollte bedeuten, dass sich Ransom32 auch leicht für Linux und Mac OS X packen lässt – zumindest in der Theorie.
Added to the ransomware resources page and will also be added to Mac Virus.
I was contacted on another blog by ‘Steve’ at Emsisoft about a blog he put up recounting an encounter with a support scammer who cold-called Bleeping Computer. There isn’t an awful lot in the account that’s really new: the Event Viewer gambit, remote access with TeamViewer, misrepresentation of Task Manager, the claim that the ‘victim’s’ anti-malware is ‘incompatible and useless’, even the misrepresentation of the ‘tree’ command, with the crude interpolation of ‘virus alerts’ typed in by the scammer. Some of the conclusions reached in the blog are slightly misleading. However, the detailed transcription of the conversation is interesting, and there are a few details that are probably worth discussion in another article. Watch this space.
Added to the support scams resource page, of course.
Small Blue-Green World
ESET Senior Research Fellow