BleedGreen FireCrypt Ransomware Kit fails at DDoS

The Sonicwall Threats Research team has received reports of a new Ransomware named FireCrypt. It is created by a malware kit called BleedGreen. The kit is used to generate FireCrypt executables based on a limited set of options provided including DDoS of the Pakistan Telecommunication Authority website.

The Kit executable file uses the following icon:

The Kit, which requires .NET 4.0 to run uses the Windows Command Prompt as its configuration interface. It mentions its in-built features and provides an option to supply an icon to the generated malware executable:

Infection Cycle:

Once the generated file is run on the target machine it kills Task Manager if running and makes the following DNS Query:

• www.pta.gov.pk

It is believed that the following communication to the Pakistan Telecommunication Authority website is part of an intended DDoS attack although it appears to be ineffective:

The Trojan scans the filesystem for files to encrypt. Javascript code that was found embedded in the executable file shows a list of file extensions that the malware looks for to encrypt using AES-256:

The Trojan adds the following files to the filesystem:

• %USERPROFILE%Start MenuProgramsStartupEkstrwhbiMZYosv.exe (copy of original) [Detected as GAV: FireCrypt.A (Trojan)]
• %USERPROFILE%DesktoptFyROkGeXTevLgT-filesencrypted.html
• %USERPROFILE%DesktoptFyROkGeXTevLgT-READ_ME.html
• %USERPROFILE%Local SettingsTempdbgRKSvXIYceWvY-(num).html x453 (where num is a number between 1 and 453)

tFyROkGeXTevLgT-filesencrypted.html contains a list of files that were encrypted by the Trojan.

tFyROkGeXTevLgT-READ_ME.html contains the following message:

As with most ransomware FireCrypt uses Bitcoin as its ransom payment method.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

• GAV: FireCrypt.A (Trojan)