Master Ransomware nets $168K so far!

June 23, 2017

The SonicWall Threats Research team has been monitoring a ransomware threat known as Master Ransomware. This ransomware is a variant of BTCWare. The operation of this ransomware is very simple and follows the classic extortion tactic: encrypt files and demand a ransom to get them back. The important thing to note however, is that there is now a rising trend for ransomware to charge even more money for file decryption. In this case, 1 BTC (currently $2701 USD) is required for file decryption.

Infection Cycle:

Upon infection, the Trojan displays the following text on the desktop background:

It also displays the following text file:

The Trojan adds the following key to the registry:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun DECRYPTINFO %AppData%Roaming#_RESTORE_FILES_#!.inf

The Trojan traverses all directories on the system and encrypts files in those directories. It leaves #_RESTORE_FILES_#!.inf in each directory and renames each encrypted file to {original filename}.master. This directory traversal includes any attached network drives and attached external media storage.

It also drops #_RESTORE_FILES_#!.inf onto the desktop:

#_RESTORE_FILES_#!.inf contains a unique ID and instructs the user to send an email with this ID to in order to receive instructions to decrypt files.

We followed these instructions and received the following email:

The email instructs the user to send 1 BTC ($2701 USD at the time of writing) to 1HAvKnunqW8xPjEwRYJjMeYnA5sPCyBvAB.

Although this ransomware is very simple, its operators have been very successful and have netted 62.2 BTC so far. This amounts to $168,000 at the time of writing this alert:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Master.RSM (Trojan)
  • GAV: Master.RSM_2 (Trojan)