Resurrection ransomware plays audio from a horror movie

June 9, 2017

The SonicWALL Threat research team receives reports of ransomware daily and new strains seem to pop up every week. This week we analyzed this malware called Resurrection Ransomware. Like others that we have seen in the past, it exhibited predictable behavior only this time, its ransom note plays an eerie music in the background reminiscent of a horror film.

Infection Cycle:

The malicious file pretends to be a PDF file and uses the following icon:

Upon successful execution, it then proceeds to encrypt files in the victim's machine. It appends "[random 6 characters].resurrection" file extension to all encrypted files as seen in the screenshot below:

It drops the file README.html to every directory with an encrypted file. It then opens a browser to launch the html file which reads its ransom note. It is asking the victim to pay 1.77 Bitcoin and to confirm payment by sending an email to resurrection777 at protonmail dot com:

The html file plays an eerie music in the background. Upon careful inspection of the file we found the source for the music embedded on the html file.

We found that it plays Charlie Clouser's music which is the theme song of a horror movie called Dead Silence.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Hiddentear.RSM_2 (Trojan)