Xorist Ransomware Created From Free Construction Kit
The Sonicwall Capture Labs Threats Research team have been recently tracking malware deriving from Ransomware construction kits. Xorist, is one such ransomware where a kit is provided and an attacker can configure various features such as message text, file extension of encrypted files, encryption algorithm, unlock password etc. The attackers charge 0.8 BTC (around $4953 USD at the time of writing) for file recovery.
Infection Cycle:
Upon infection, the Trojan encrypts files on the system and appends the following file extension to their filenames:
- PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE _you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT
It places the following file in every directory containing encrypted files:
- HOW TO DECRYPT FILES.txt
HOW TO DECRYPT FILES.txt contains the following message:
We were able to obtain a copy of the construction kit. Ironically we also obtained a copy that was infected with the very same ransomware. The user interface contains various customization options:
Configuration options include:
-
- File extensions to target for encryption
- File extension text to append to encrypted files
- Decryption password
- Wallpaper to show on desktop background
- Icon for the malware executable file
- Autorun at startup
- Encryption algorithm to use (XOR/TEA)
- Ransom note text
- File recovery password attempts
- UPX file packing
The bitcoin address (3KxEZKjS4ifAHhX2o1fq9tERkAshSgA4hg) appears to have collected some funds from prior victims:
We reached out to repair_data@scryptmail.com and received the following reply. Although 0.8 BTC is stated in the ransom note, the file recovery fee appears to be negotiable. The deadline however, is tight:
Sonicwall Capture Labs provides protection against this threat via the following signatures:
- GAV: Xorist.RSM_3 (Trojan)
- GAV: Xorist.RSM_4 (Trojan)
- GAV: Xorist.EJ_4 (Trojan)
