Lotus ransomware charges 1 BTC . Multi PC discount possible

March 5, 2021

The SonicWall Capture Labs threat research team has observed reports of a variant from the Crysis/Dharma ransomware family called Lotus.  The operators of this malware charge 1 BTC ($49K USD at the time of writing this alert) for file recovery.  However, the price appears to be negotiable after a conversation with the malware operator.

 

Infection Cycle:

 

Upon infection, the malware can be seen using the built-in mshta program to display the ransom message:

 

Files on the system are encrypted and the following extension is appended to their file names:

.id-E625BDD2.[paymei@cock.li].LOTUS

 

The following ransom message is displayed on the desktop:

 

The following files are dropped on to the system:

  • MANUAL.txt (in every directory containing encrypted files)
  • %APPDATA%\Roaming\{original malware file name} [Detected as: GAV: Lotus.RSM (Trojan)]
  • %APPDATA%\Roaming\Info.hta (contains message shown above)
  • %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta (contains message shown above)

 

MANUAL.txt contains the following text:

 

We reached out to the supplied emails and had the following conversation with the ransomware operator:

 

The operator asks how many pc’s we would like to recover.  This leads us to believe that the malware is aimed at large organizations:

 

We see if we can negotiate further if we have multiple infected PC’s:

 

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Lotus.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.