Ransomware asking for nudes instead of bitcoins

September 22, 2017

The SonicWall Capture Labs Threat Research team receives reports of ransomware daily and new strains seem to pop up everyday. This week we analyzed this malware called NRansom. But unlike most of the ransomwares we have seen in the past, NRansom is asking its victim to send nude pictures instead of demanding payment in cryptocurrency.

Infection Cycle:

Upon execution, it drops the following files in the temp directory:

  • %temp%/***.tmp/nransom.exe [Detected as GAV: NRansom.RSM (Trojan) ]
  • %temp%/***.tmp/Interop.WMPLib.dll (non-malicious file: Windows Media Player control library)
  • %temp%/***.tmp/AxInterop.WMPLib.dl (non-malicious file: Windows Media Player control library)
  • %temp%/***.tmp/Tools/your-mom-gay.mp3 (non malicious audio file)

It then spawns cmd.exe to execute nransom.exe file:

What is unique about this ransomware is that it demands the victim to send at least 10 nude pictures in exchange for an unlock code.

We found that it plays the audio file that it created in the temp directory in a loop. It is the music called Frolic by the artist, Luciano Michelini.

Although during our analysis, this malware did not really encrypt any of the files in the machine, so it appears to be a hoax.

Nevertheless, because of the prevalence of these types of malware attacks, we still strongly urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: NRansom.RSM (Trojan)