Ransomware asking for Amazon giftcard as payment

April 5, 2019

Cryptocurrency has been the conduit for ransomware payments and its perceived anonymity has made this type of attack very lucrative for cybercriminals. This week the SonicWALL Capture Labs Research team has become aware of yet another ransomware. Like any other ransomware, its behavior was nothing different, however this variant asks for Amazon gift card as a form of ransom payment.

Infection cycle:

Upon execution it drops the following files in the %Temp% directory:

  • %Temp%/wallpaper.bmp
  • %Temp%/wallpaper.png
  • %Temp%/Winrar.exe (non-malicious legitimate copy of winrar)

It changes the desktop wallpaper of the infected machine using one of the wallpaper image files it dropped in the temp directory.

The ransomware then moves all files in %Users% directory into an encrypted rar archive using Winrar.exe. It empties the following folders:

Once done, it opens a window with instructions on how to pay the ransom.

The ransomware author asks for a $50 Amazon gift card code to be sent as a message using a chat app called Discord to the user “UNNAM3D#6666.”

Further digging, we found this youtube video which appears to be from the same author selling malware for $1500 per build.

SonicWALL Capture Labs provides protection against this threat via the following signature:

  • GAV: Unnam3d.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.