Build of open source AresCrypt ransomware on github seen in the wild

By

The SonicWall Capture Labs Threat Research Team have recently discovered a build of an open source ransomware known as Arescrypt in the wild.  The source code is hosted on github and is promised to be feature packed.  In the authors own words:  “Well, Arescrypt is one of my first large-scale ransomware malware’s I’ve ever hand-crafted. So, I tried going all out for it, in hopes that it may be developed better in time.”

The author lists the following features for the malware:

  • All-in-one (encryption, verification, and decryption) of files.
  • Unique API calls to configurable server (standalone PHP script included)
  • Information stored in DAT (configuration) file – obfuscated too 😉
  • Extensive configuration file
  • Sandboxing capabilities

Infection Cycle:

The Trojan uses the following icon:

 

The file contains the following metadata:

 

Upon infection, the Trojan shows the following messagebox in order to ease suspicion:

 

The following audio message is played in the background:

 

The Trojan adds the following files to the filesystem:

  • C:\Users\<user>\files.txt
  • <run location>.arescrypt.dat (hidden file)

files.txt contains a list of files that were encrypted.

.arescrypt.dat contains the following data:

{"uniqueKey":"62vq6T5Y27aO","encKey":null,"encIV":null}

 

During the infection cycle, files are encrypted and are given a .OOFNIK extension.  The author may have chosen this extension based on the fictional character Moishe Oofnik from Rechov SumSum, an Israeli version of the popular childrens television series Sesame Street.

 

The Trojan obtains the vicims public IP address by querying ipinfo.io

 

The Trojan reports the infection to a remote server:

 

After the audio message is played, the screen is locked with the following image:

The Trojan demands $40 in bitcoin for file recovery.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AresCrypt.RSM (Trojan)
  • GAV: AresCrypt.RSM_2 (Trojan)

 

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.