Ransomware asking for Amazon giftcard as payment

By

Cryptocurrency has been the conduit for ransomware payments and its perceived anonymity has made this type of attack very lucrative for cybercriminals. This week the SonicWALL Capture Labs Research team has become aware of yet another ransomware. Like any other ransomware, its behavior was nothing different, however this variant asks for Amazon gift card as a form of ransom payment.

Infection cycle:

Upon execution it drops the following files in the %Temp% directory:

  • %Temp%/wallpaper.bmp
  • %Temp%/wallpaper.png
  • %Temp%/Winrar.exe (non-malicious legitimate copy of winrar)

It changes the desktop wallpaper of the infected machine using one of the wallpaper image files it dropped in the temp directory.

The ransomware then moves all files in %Users% directory into an encrypted rar archive using Winrar.exe. It empties the following folders:

Once done, it opens a window with instructions on how to pay the ransom.

The ransomware author asks for a $50 Amazon gift card code to be sent as a message using a chat app called Discord to the user “UNNAM3D#6666.”

Further digging, we found this youtube video which appears to be from the same author selling malware for $1500 per build.

SonicWALL Capture Labs provides protection against this threat via the following signature:

  • GAV: Unnam3d.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

 

 

 

 

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.