ExTS Admin Starbuck Posted February 18, 2016 ExTS Admin Posted February 18, 2016 Researchers have spotted some new ransomware that comes with a Live Chat feature and a somewhat useless uninstaller program. First detected by the folks at the abuse.ch security blog, the ransomware dubbed "PadCrypt," is being spread via spam email campaigns, explains Lawrence Abrams of Bleeping Computer. Each email comes with a .ZIP attachment that contains an executable file with the double extension of .pdf.scr. The use of a double extension is a deliberate attempt by attackers to fool users into believing that the file might be a legitimate PDF file, but when executed the file downloads the PadCrypt ransomware onto a victim's machine. At that point in time, PadCrypt encrypts any and all files it locates in a series of target folders: C:\Users\[login_name]\Downloads C:\Users\[login_name]\Documents C:\Users\[login_name]\Pictures C:\Users\[login_name]\ After finishing encrypting those folders, the malware encrypts more files found on the C: drive and any available removable media before displaying the following ransom message: http://img.photobucket.com/albums/v708/starbuck50/padcrypt_zpsipewnmzu.jpeg As is seen above, the ransomware authors demand that the victim penny up 0.8 BTC (approximately US $350) for the decryption key to their now encrypted files. This is considerably less than what the hackers behind the recent attack against the Hollywood Presbyterian Memorial Center have asked for. But here's where it gets interesting. In the bottom-left corner the ransom screen is a "Live Feature" option which, when clicked, opens up a screen where the victim can speak in real-time with the malware's developers, as Bleeping Computer's Abrams comments: A feature like this could potentially increase the amount of payments as the victim can receive "support" and be guided on the confusing process of making a payment. At this time, however, the ransomware's command and control (C&C) servers are offline, so both the malware's encryption process and live feature are currently unavailable. PadCrypt also comes with an uninstaller that is loaded upon initial execution. But this feature is misleading. The uninstaller only removes the files that PadCrypt installs on a victim's computer. It does not deter or reverse the encryption process. Clearly, ransomware authors are developing increasingly more sophisticated malware samples every day. These malicious programs come equipped with features such as Live Chat options to ensure that victims know how to submit a payment, thereby affirming the end-goal of their criminal scheme. Don't give them the satisfaction. Rolling-out software patches on a regular basis, refraining from clicking on suspicious links, and maintaining an anti-virus solution on your computer will go a long way towards preventing a ransomware infection. Also, should ransomware ever execute on your computer, make sure you have several data back-ups on hand that you can load up once an expert has wiped the malware off of your computer. Source: https://www.grahamcluley.com/2016/02/padcrypt-ransomware-live-chat/ The PadCrypt Ransomware is still Alive and Kicking When the PadCrypt ransomware was first discovered, the existing Command & Control servers for the ransomware were quickly shutdown. As no new versions were released it was assumed that the developer had given up on his project. Unfortunately, it appears that PadCrypt is still alive and kicking as I discovered a new sample of the downloader last night that utilizes a new C2 server at jodielane100.com. It also appears that the developer is using the live chat to initiate conversation with the victims rather than the other way around. The malware developer has been sending messages to the victims explaining to them that if they do not pay the ransom price will increase. http://img.photobucket.com/albums/v708/starbuck50/fiddler_zps2viscrcl.png Fiddler showing download activity of new downloader Source: http://www.bleepingcomputer.com/news/security/the-padcrypt-ransomware-is-still-alive-and-kicking/ Quote Member of:UNITE
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.