Thursday, June 7, 2018

RedEye ransomware: there's more than meets the eye



A rather anonymous account reached out to me on Twitter asking to check out a "scary & really nasty" sample.

It turned out to be RedEye ransomware, a new strain or variant by the same creator of Annabelle ransomware, which I discovered in February earlier this year.


Analysis

This ransomware is named "RedEye" by the author "iCoreX".














Properties:

The first noticeable thing about this file is the huge filesize: 35.0 MB (36657152 bytes). This is due to several media files, specifically images and audio files, embedded in the binary.

It contains three ".wav" files:
  • child.wav
  • redeye.wav
  • suicide.wav
All three audio files play a "creepy" sound, intended to scare the user. 

Additionally, the binary is protected with ConfuserEx, compression, and a few other tricks. It also embeds another binary, which is responsible for replacing the MBR, which has the following properties:

  • MD5: 878a10cda09fec2cb823f2b7138b550e
  • SHA1: db44dae60c12853cdbe62ec9f7b3493a897e519a
  • SHA256: f96ed49ab1a5b4e2333fee30c42b2ae28dc5bc74fa02b9c6989e5c0159cfffd7
  • Compilation timestamp (Delphi): 1992-06-19 22:22:17
  • Compilation timestamp (Actual): 2018-06-04 14:23:36
  • VirusTotal report:
    f96ed49ab1a5b4e2333fee30c42b2ae28dc5bc74fa02b9c6989e5c0159cfffd7


What actually happens when executing this ransomware? Just like Annabelle ransomware it will perform a set of actions to make removal quite difficult, for example; it will disable task manager and in this iteration, will also hide your drives.

Similar to before, a ransom message is then displayed as follows:

Figure 1 - RedEye Ransomware


The message reads:

All your personal files has been encrypted with an very strong key by RedEye!
(Rijndael-Algorithmus -  AES - 256 Bit)
The only way to get your files back is:
- Go to http://redeye85x9tbxiyki.onion/tbxIyki - Enter your Personal ID
and pay 0.1 Bitcoins to the adress below! After that you need to click on
 "Check Payment". Then you will get a special key to unlock your computer.
You got 4 days to pay, when the time is up,
then your PC will be fully destroyed!


The ransomware has several options which I won't be showing here, but in short, it can:

  • Show encrypted files
  • Decrypt files
  • Support
  • Destroy PC

The Destroy PC option shows a GIF as background where you have the option to select "Do it" and "Close". I won't display the image however.

RedEye claims to encrypt files securely with AES256. On my machine, it appears to overwrite or fill files with 0 bytes, rendering the files useless, and appending the ".RedEye" extension.

The machine will, when the time runs out or when the "Do it" option is selected, reboot and replace the MBR, again similar to Annabelle ransomware, with the following message:


Figure 2 - MBR lock screen

The message reads as follows:


RedEye Terminated your computer! 
The reason for that could be:
- The time has expired
- You clicked on the 'Destroy PC' button
 
There is no way to fix your PC! Have Fun to try it :)
My YouTube Channel: iCoreX <- :p="" br="" subscribe="">Add me on discord!iCoreX#3333 <- account="" amp="" annabelle="" by="" creator="" discord.="" discord="" got="" i="" icorex="" jigsaw="" my="" named="" of="" old="" ransomware="" redeye="" terminated="">


The author, iCoreX, claims to have created Jigsaw, Annabelle, and now the RedEye ransomware - whether the former is true or not, I'll leave in the middle.

Details on the ransomware:

Extension: .RedEye
BTC Wallet: 1JSHVxXnGDydVXVamFW9AEmk3vk8cF8Vuj
Payment portal: (currently offline): http://redeye85x9tbxiyki[.]onion

Currently, it doesn't appear any payments have been made as of yet:


Removal

You may be able to restore the MBR, or your files, if you catch the ransomware in the act, and shutdown the machine at that point. Reboot in safe mode and copy over or back-up your files.

If tools such as the registry editor are not working, run Rkill in safe mode first.

Then, Restore the MBR, and reinstall Windows.

You may also try to restore the MBR first, and consequently attempt to restore files using Shadow Volume Copies. For example, a tool such as Shadow Explorer can be of assistance, or read the tutorial here.

If that doesn't work either, you may try using a data recovery program such as PhotoRec or Recuva



Conclusion


While it appears that the RedEye ransomware has even more tricks up its sleeve than its predecessor Annabelle, the same conclusion holds true: do not pay the ransomware.

As for the actual purpose of the ransomware: it may be considered a ransomware of the wiper kind, however, it appears the author likes to showcase his or her skill.

You can read more on the purpose of ransomware here.



IOCs