Build of open source AresCrypt ransomware on github seen in the wild

February 1, 2019

The SonicWall Capture Labs Threat Research Team have recently discovered a build of an open source ransomware known as Arescrypt in the wild.  The source code is hosted on github and is promised to be feature packed.  In the authors own words:  “Well, Arescrypt is one of my first large-scale ransomware malware’s I’ve ever hand-crafted. So, I tried going all out for it, in hopes that it may be developed better in time.”

The author lists the following features for the malware:

  • All-in-one (encryption, verification, and decryption) of files.
  • Unique API calls to configurable server (standalone PHP script included)
  • Information stored in DAT (configuration) file – obfuscated too 😉
  • Extensive configuration file
  • Sandboxing capabilities

Infection Cycle:

The Trojan uses the following icon:

 

The file contains the following metadata:

 

Upon infection, the Trojan shows the following messagebox in order to ease suspicion:

 

The following audio message is played in the background:

 

The Trojan adds the following files to the filesystem:

  • C:\Users\<user>\files.txt
  • <run location>.arescrypt.dat (hidden file)

files.txt contains a list of files that were encrypted.

.arescrypt.dat contains the following data:

{"uniqueKey":"62vq6T5Y27aO","encKey":null,"encIV":null}

 

During the infection cycle, files are encrypted and are given a .OOFNIK extension.  The author may have chosen this extension based on the fictional character Moishe Oofnik from Rechov SumSum, an Israeli version of the popular childrens television series Sesame Street.

 

The Trojan obtains the vicims public IP address by querying ipinfo.io

 

The Trojan reports the infection to a remote server:

 

After the audio message is played, the screen is locked with the following image:

The Trojan demands $40 in bitcoin for file recovery.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: AresCrypt.RSM (Trojan)
  • GAV: AresCrypt.RSM_2 (Trojan)