Incompetent Ransomware Gang
Posted by: Timothy Weaver on 11/30/2016 12:07 PM
[
Comments
]
A gang of miscreants have put together a new strain of ransomware which locks up a victims computer. Once locked, it displays a screen to call your friendly Indian "Microsoft" help desk to unlock the system.
The ransomware has been dubbed VindowsLocker because instead of just demanding a ransom in bitcoin, it locks the system and sends the victim to a "help" desk.
Jerome Segura, Malwarebytes Labs lead malware intelligence analyst, said: “The first part of the message refers to the infection being done by attackers and not Microsoft. The second part of the message says that this is Microsoft trying to help. It is a little confusing though.”
Instead of a command and control server to store the decryption keys, the bad guys abused Pastebin's API in what turned out to be a failed attempt to create an easy way to store the key.
“The ransomware comes with two hardcoded Pastebin API keys. The AES key, that is randomly generated on the victim machine, is pasted on Pastebin with their help,” Segura wrote.
“However, they misunderstood the Pastebin API (they hardcoded a user_key) that was meant to be used for a single session. After the predefined period of time, the key expired. Retrieving them in this intended way became no longer possible,” he said.
This means the person's files cannot be decrypted by the criminals.
If a victim calls the "help" number, he is connected to one of the criminals in India. But it is worthless to fill out the form for payment as the victim will not get his decrypted files back.
Source: SCMagazine
The ransomware has been dubbed VindowsLocker because instead of just demanding a ransom in bitcoin, it locks the system and sends the victim to a "help" desk. Jerome Segura, Malwarebytes Labs lead malware intelligence analyst, said: “The first part of the message refers to the infection being done by attackers and not Microsoft. The second part of the message says that this is Microsoft trying to help. It is a little confusing though.”
Instead of a command and control server to store the decryption keys, the bad guys abused Pastebin's API in what turned out to be a failed attempt to create an easy way to store the key.
“The ransomware comes with two hardcoded Pastebin API keys. The AES key, that is randomly generated on the victim machine, is pasted on Pastebin with their help,” Segura wrote.
“However, they misunderstood the Pastebin API (they hardcoded a user_key) that was meant to be used for a single session. After the predefined period of time, the key expired. Retrieving them in this intended way became no longer possible,” he said.
This means the person's files cannot be decrypted by the criminals.
If a victim calls the "help" number, he is connected to one of the criminals in India. But it is worthless to fill out the form for payment as the victim will not get his decrypted files back.
Source: SCMagazine
Comments
