RING Ø LABS
A quick examination of this FBI themed ransomware reveals that it is UPX packed:
A quick unpack using the free UPX utility will dump out the original executable.
Digging through the strings of the new executable we can see that it contains an embedded EXE. We can extract this embedded EXE using manual methods, 010 Editor templates, etc:
This embedded EXE is the final ransomware. Persistence is achieved via a Windows Batch file that copies the file to Desktop/ElmerLock/FBI.exe and then to the users' startup folder. It will be launched whenever the computer boots.
When running, the ransomware poses as the FBI and accuses the user of many criminal acts. The ransomware will 'lock' the desktop and prevent the user from using the computer. In order to resolve the issue a fine of $150 USD in Bitcoin must be sent to [email protected]
This ransomware is most likely written by the same author as ElmersGlue due to the numerous similarities between the methods employed, the coding style, and the fact that the output folder contains "Elmer". Much like ElmersGlue, this ransomware can be unlocked without paying.
If we examine FBI.exe we can see comparison strings when button1 is clicked:
Unlock code 1: 19398372
Unlock code 2: 1830298
Unlock code 3: 8908978
These codes may vary per sample, but the malware can still be removed without paying the ransom. Follow the instructions given in this video
If you use the unlock codes within the ransomware you are presented with further removal instructions:
There are many VirusTotal results for all stages of this file. Your home antivirus solution should detect the majority of this ransomware and its variants. There is no network traffic to signature.
This FBI themed ransomware is most likely written by the same actor as ElmersGlue due to its many similarities including structure, coding style, and naming conventions. It can still be unlocked without paying the ransom.