You’re infected! Ransomware with a twist

Your computer is infected! Pay $50 USD in order to remove the malware.

The FBI has been tracking you for visiting inappropriate sites. Please pay $250 to avoid higher court costs and appearances.

Ransomware is nothing new, and typically comes in many shapes and sizes. For years, users have been visiting websites, only to be redirected to a ransomware site and scared into paying fees that amounted to nothing more than lost money. With the advent of CryptoLocker, however, attackers have felt a need to “give” back to their victims. Once they infect a system and encrypt the data, they will offer to decrypt this data for a small fee. How kind of them…

In recent months, attackers have started to change the game by delivering these samples via phishing, and using new malware that imitates Cryptolocker. I recently came across a phish carrying ransomware similar to Cryptolocker, but with some noteworthy differences.

In Figure 1, we can see the classic MAILER-DAEMON phish tricking the user into thinking they actually sent the email.

Figure 1 — Phishing Email

From Figure 1, you can see that there is an attached zip file titled “Read Email”. The zip file contains 2 files, “disclaimer.txt” and “email#*.txt.exe”, see screenshot in Figure 2.

Figure 2 — Screenshot of zip file with text and executable

In disclaimer.txt, the attackers let themselves off the hook by telling us that the email is considered confidential, and that they are not responsible for any loss of information. Disclaimer.txt can be seen in Figure 3.

Figure 3 — Contents of disclaimer.txt

In Figure 4, we start to see some differences from your standard Cryptolocker, as the malware authors have changed the icon to appear like a text file. By doing this, it will become more enticing for the user to open the file.

Figure 4 — Screenshot of the icon

If the user opens the file, the computer will become infected with malware that looks similar to CryptoLocker. In Figure 5, the user is instructed to pay the ransom… with a twist.

Figure 5 — Ransom note from the malware

Here, the victim is instructed to first download TOR in order to access the ransom site, allowing the attackers to maintain a degree of anonymity while collecting the ransom (similar to the Cryptolocker variant described by ESET back in December 2013, which forced victims to pay the ransom using Bitcoin). As of the time of writing, the website has been down (Figure 6), leaving those who are infected up a creek without an oar.

Figure 6 — Site via TOR not resolving

For those who would like to take the free route or are up a creek without an oar, there are a few ways to recover the lost files.

• According to ThreatPost, for CryptoLocker infections, if a network share was part of the infection, comparing the timestamps of the Master File Table (MFT) can get a list of encrypted files in order to pull them from backups. (Source:

• For other variants, the malware will write the encrypted files and delete the non-encrypted ones. Even though the data is deleted from the hard drive, things aren’t 100% gone. (Source:

• The third way to recover the files is due to an oversight by the attackers. When variants of CryptoDefense encrypt the user’s data, a private key is created on the system. By using this private key, the encrypted data can be recovered. (Source:


What do Takedown Vendors and Fire Hydrants Have in Common?
What we're reading about the Chinese hacking charges