Alma Ransomware delivered via RIG Exploit Kit

March 17, 2017

The Sonicwall Threat Research Team are still observing an steady increase of ransomware. A ransomware variant known as Alma has been observed being delivered via the RIG Exploit Kit to unsuspecting users. Exploit kits such as RIG are often hidden on compromised webservers and are used as part of a drive-by technique to infect visitors. Alma is yet another ransomware variant using the usual techniques for extorting money from infected users.

Infection Cycle:

The authors of the ransomware have tried to make the executable seem genuine by indicating that it was created by Apple Inc.:

The Trojan makes the following POST request to a hidden server on the TOR network:

The request is encoded using base64 encoding. The decoded message is as follows:

      p=OZZHTu0LitDed546XtOj1&a=Windows Defender&t=1489618916&r=hgshsgfh&o=6.3.9600&v=d42889198027beae49&s=2382&l=1033&e=vmnz&u=USER

OZZHTu0LitDed546XtOj1 is the encryption key used to encrypt/decrypt files. d42889198027beae49 is a unique user infection ID. The rest of the information contains data on any installed antivirus software, Windows version number, the current user and the file extension used for encrypted files.

Files with the following extensions are targeted for encryption:

      .1cd, .3ds, .3gp, .accdb, .ai, .ape, .asp, .aspx, .bc6, .bc7, .bmp, .cdr, .cer

      .cfg, .cfgx, .cpp, .cr2, .crt, .crw, .csr, .csv, .dbf, .dbx, .dcr, .dfx, .dib

      .djvu, .doc, .docm, .docx, .dwg, .dwt, .dxf, .dxg, .eps, .htm, .html, .ibank

      .indd, .jfif, .jpe, .jpeg, .jpg, .kdc, .kwm, .max, .md, .mdb, .mdf, .odb, .odc

      .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdf, .pef, .pem, .pfx, .php

      .pl, .png, .pps, .ppt, .pptm, .pptx, .psd, .pst, .pub, .pwm, .py, .qbb, .qbw

      .raw, .rtf, .sln, .sql, .sqlite, .svg, .tif, .tiff, .txt, .vcf, .wallet, .wpd

      .xls, .xlsm, .xlsx, .xml

Upon reverse engineering the executable, the read, encrypt, write and delete functions can been seen without much effort:

The following image is displayed onscreen, giving instructions on how to recover encrypted files. At the time of writing the server had been removed (possibly by authorities) from the TOR network.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: AlmaLocker.A (Trojan)