Monday, May 7, 2018

PSCrypt ransomware: back in business

PSCrypt is ransomware first discovered last year, in 2017, targeting users and organisations alike in Ukraine, and the malware itself is based on GlobeImposter ("GI") ransomware.

I've written about PSCrypt in the past, when it was distributed via Crystal Finance Millenium's hacked website: Crystal Finance Millennium used to spread malware

In this quick blog post, we'll take a look at the latest iteration of PSCrypt.


A file named "xls.scr", which sports a fancy "energy" or "power" icon is responsible for loading PSCrypt on the machine, and was spread via a phishing campaign.

Figure 1 - Icon

The ransomware has the following properties:

As mentioned earlier, PSCrypt is based on GlobeImposter and as such, has very similar functionality.

The following folders are excluded from being encrypted:

Avast, Avira, COMODO, Chrome, Common Files, Dr.Web, ESET, Internet Explorer, Kaspersky Lab, McAfee, Microsoft, Microsoft Help, Microsoft Shared, Microsoft.NET, Movie Maker, Mozilla Firefox, NVIDIA Corporation, Opera, Outlook Express, ProgramData, Symantec, Symantec_Client_Security, Windows, Windows App Certification Kit, Windows Defender, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows NT, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Wsus, YandexBrowser, ntldr, spytech software, sysconfig, system volume information

This iteration of PSCrypt will encrypt all files, including executables, except those files with the following extensions:


As usual, a temporary batch file will be used to clear Volume Shadow Copies as well as Event Logs:

Figure 2 - Batch file

What's new in this iteration of PSCrypt is not only the changes implemented by/via GlobeImposter ransomware, but also the ransom note itself, as noted in Figure 3 and 4 below:

Figure 3 - Ransomware note, part 1

Figure 4 - Ransomware note, part 2

The title of the ransom note is "Ваші файли тимчасово зашифрувати! Не хвилюйтесь!", which translates to "Your files are temporarily encrypted! Do not worry!".

The Ukrainian version is rather lenghty, and is as follows:

Для відновлення даних потрібно дешифратор.
Щоб отримати дешифратор, ви повинні, оплатити послуги розшифровки:
Оплата відбувається за коштами біткойн на кошелек № 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Вартість послуги складає 150$
Оплату можна провести в терміналі IBox. або виберіть один з обмінних сайтів на сторінці - (приклад обмін Приват24 на BTC) також можете скористатися послугами
Додаткова інформація:
Програма можемо дешифрувати один файл як доказ того, що у неї є декодер. Для цього необхідно надіслати зашифрований файл - вагою не більше 2 mb, и ваш уникальный идентификационный код, на пошту:
Более детальная инструкция по оплате:
Всі файли розшифровуються тільки після 100% оплати
Ви дійсно отримуєте дешифратор після оплати
Не намагайтеся видалити програму або запустити антивірусні інструменти це може ускладнити вам роботу
Спроби самодешіфрованія файлів приведуть до втрати ваших даних
Декодери інших користувачів не сумісні з вашими даними, оскільки унікальний ключ шифрування кожного користувача.
За запитом користувачів, надаємо контакти клієнтів, які вже користувалися послугами нашого сервісу.
Додаткові контакти: - (якщо відповіді не прийшло після 24-х годин) - (якщо відповіді не прийшло після 24-х годин) - (якщо відповіді не прийшло після 24-х годин)
З повагою
Unlock files LLC
33530 1st Way South Ste. 102
Federal Way, WA 98003
United States

Google Translation, so pretty loose - I've made some minor corrections however:

To restore data you need a decoder.
To receive a decoder, you must pay for decoding services:
Payment is made at the expense of bitcoin to wallet number 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9
Service cost is $ 150
Payment can be made at the terminal IBox. or select one of the exchange sites on the page - (example exchange of Privat24 to the BTC), you can also use the services of
Additional Information:
The program can decrypt one file as proof that it has a decoder. To do this, you need to send an encrypted file weighing no more than 2 mb and your unique identification code by mail:
More detailed payment instructions:
All files are decrypted only after 100% payment
You really get a decoder after payment
Do not try to uninstall a program or run antivirus tools, which can complicate your work
Attempts to self-decrypt files will result in the loss of your data
Other users' decoders are not compatible with your data, as the unique encryption key for each user.
At the request of users, we provide contact with customers who have already used the services of our service.
Additional contacts: - (if the answer did not arrive after 24 hours) - (if the answer did not arrive after 24 hours) - (if the answer did not arrive after 24 hours)

The English version is rather short and to the point:

For decoding, write to the - Basic - backup Additional contacts: - (if the answer did not arrive after 24 hours) - (if the answer did not arrive after 24 hours) - (if the response did not arrive after 24 hours) 

The cost for restoring service is, interestingly enough, expressed in US dollars this time ($150), as opposed to Ukrainian currency in a previous iteration.

However, the images which included IBox instructions (as payment method) have been removed, and while IBox is still suggested as a service, there's also a new website introduced to pay via Bitcoin using E-BTC. 

E-BTC is a Ukrainian service which is "the most reliable and simple service for buying and selling Bitcoins and also the best partner for entering and withdrawing funds to the WEX stock exchange."

It also promises full anonymity.

Back to the ransomware. Encrypted files will have the .docs extension appended, for example Jellyfish.jpg becomes

Ransom note: .docs document.html
BTC Wallet: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9

Extension: .docs

Fortunately, it appears no payments have been made as of yet: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9


The last iteration of PSCrypt was observed in 2017, but it appears it has now returned to try and coerce users and organisations to pay the ransomware.

As usual, follow the prevention tips here to stay safe, but the rule of thumbs are as always:

  • Do not pay, unless there is imminent danger of life
  • Create regular backups, and do not forget to test if they work

IOCs follow below.


Saturday, May 5, 2018

Vietnamese ransomware wants you to add credit to a mobile phone

In this quick blog post we'll have a look at BKRansomware, a Vietnamese ransomware that wants you to top up its phone.

Update: 2018-05-06, scroll down for the update, added to the conclusion.


This ransomware is named "BKRansomware" based on the file name and debug path. Properties:

BKRansomware will run via command line and displays the following screen:

Figure 1 - Ransom message

The ransomware message is very brief, and displays:

send 50k viettel to 0963210438 to restore your data

Viettel is a form of credit for mobile phones, used in Vietnam and neighboring countries. It is part of "Viettel Group" (Tập đoàn Công nghiệp Viễn thông Quân đội in Vietnamese), a mobile network operator in Vietnam. (Wiki link). 

As such, it appears the creators are in desperate need of more credit so they can make calls again :)

It only encrypts a small amount of extensions:

Figure 2 - extensions to encrypt

The list is as follows:

.txt, .cpp, .docx, .bmp, .doc, .pdf, .jpg, .pptx, .png, .c, .py, .sql

Encrypted files will have the .hainhc extension appended. Fun note: files aren't actually encrypted, but encoded with ROT23. For example, if you have a text file which says "password", the new content or file will now have "mxpptloa" instead.

Noteworthy is the debug path: 

C:\Users\Gaara\Documents\Visual Studio 2013\Projects\BKRansomware-20180503T093651Z-001\BKRansomware\Release\BKRansomware.pdb

The extension mentioned above, "hainhc" may refer to the following handle or persona on Whitehat VN, a Vietnamese Network security community:


While BKRansomware is not exactly very sophisticated, it is able to encrypt (or rather encode) files, and is unique in the sense that it asks you to top up a mobile phone.

Update: it appears this is a ransomware supposedly used for testing purposes, for both coding and testing VirusTotal detections. However, there seems to be a lot of "testing" going on, including keyloggers. Draw your own conclusions.

Follow the prevention tips here to stay safe.