Xorist Ransomware Created From Free Construction Kit

By

The Sonicwall Capture Labs Threats Research team have been recently tracking malware deriving from Ransomware construction kits. Xorist, is one such ransomware where a kit is provided and an attacker can configure various features such as message text, file extension of encrypted files, encryption algorithm, unlock password etc.  The attackers charge 0.8 BTC (around $4953 USD at the time of writing) for file recovery.

Infection Cycle:

Upon infection, the Trojan encrypts files on the system and appends the following file extension to their filenames:

  • PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE _you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT

It places the following file in every directory containing encrypted files:

  • HOW TO DECRYPT FILES.txt

HOW TO DECRYPT FILES.txt contains the following message:

We were able to obtain a copy of the construction kit.  Ironically we also obtained a copy that was infected with the very same ransomware.  The user interface contains various customization options:

Configuration options include:

    • File extensions to target for encryption
    • File extension text to append to encrypted files
    • Decryption password
    • Wallpaper to show on desktop background
    • Icon for the malware executable file
    • Autorun at startup
    • Encryption algorithm to use (XOR/TEA)
    • Ransom note text
    • File recovery password attempts
    • UPX file packing

The bitcoin address (3KxEZKjS4ifAHhX2o1fq9tERkAshSgA4hg) appears to have collected some funds from prior victims:

We reached out to repair_data@scryptmail.com and received the following reply.   Although 0.8 BTC is stated in the ransom note, the file recovery fee appears to be negotiable.  The deadline however, is tight:

Sonicwall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Xorist.RSM_3 (Trojan)
  • GAV: Xorist.RSM_4 (Trojan)
  • GAV: Xorist.EJ_4 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.