Ring Ø Labs DOES NOT advocate using any of the malware, techniques, or information presented here for harm and doing so may violate the law. These topics are for mitigation and educational purposes only. Read more about us here

Monday, August 7, 2017

FBI Ransomware

This malware poses as the FBI and accuses the user of many criminal misconducts. Legal action will be taken unless a fee of $150 is paid. It can be unlocked without paying.





RING Ø LABS

Malware Report


DETAILS

A quick examination of this FBI themed ransomware reveals that it is UPX packed:




A quick unpack using the free UPX utility will dump out the original executable.




Digging through the strings of the new executable we can see that it contains an embedded EXE. We can extract this embedded EXE using manual methods, 010 Editor templates, etc:




This embedded EXE is the final ransomware. Persistence is achieved via a Windows Batch file that copies the file to Desktop/ElmerLock/FBI.exe and then to the users' startup folder. It will be launched whenever the computer boots.




When running, the ransomware poses as the FBI and accuses the user of many criminal acts. The ransomware will 'lock' the desktop and prevent the user from using the computer. In order to resolve the issue a fine of $150 USD in Bitcoin must be sent to [email protected]






This ransomware is most likely written by the same author as ElmersGlue due to the numerous similarities between the methods employed, the coding style, and the fact that the output folder contains "Elmer".  Much like ElmersGlue, this ransomware can be unlocked without paying.


If we examine FBI.exe we can see comparison strings when button1 is clicked:




Unlock code 1: 19398372
Unlock code 2: 1830298
Unlock code 3: 8908978


These codes may vary per sample, but the malware can still be removed without paying the ransom. Follow the instructions given in this video


If you use the unlock codes within the ransomware you are presented with further removal instructions:




DETECTION


There are many VirusTotal results for all stages of this file. Your home antivirus solution should detect the majority of this ransomware and its variants. There is no network traffic to signature.


CONCLUSION

This FBI themed ransomware is most likely written by the same actor as ElmersGlue due to its many similarities including structure, coding style, and naming conventions. It can still be unlocked without paying the ransom.


FILE DETAILS

Filename
VIDEOMP419389183-14.MP4.exe
Packer
UPX
MD5
C8C53340FBCE3B76AEB7E49EE6F88869
Sample
Type
Ransomware
Video