SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Amnesia ransomware continues high payment trend (July 21, 2017)



Description


The SonicWall Capture Labs Threat Research team have recently observed a ransomware threat known as Amnesia. As predicted previously by Sonicwall, the trend of increasing the ransom payment demand has continued. This time last year, ransom demands only averaged a few hundred US dollars for file decryption. Most ransomware today have increased this amount to around 1 Bitcoin ($2629 at the time of writing this alert) as is the case here with the Amnesia ransomware.

Infection Cycle:

The Trojan makes the following DNS request:

  • iplogger.info

The Trojan adds the following files to the filesystem:

  • %APPDATA%\sevnz.exe (copy of original file) [Detected as GAV: Amnesia.RSM (Trojan)]
  • IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT (copied into every directory containing encrypted files)

All files that have been encrypted use the following filenaming convention:

  • {encrypted filename}.[unlocking.guarantee@aol.com]

The Trojan adds the following keys to the registry, the first of which is a unique ID for the infection:

  • HKEY_CURRENT_USER\Software\aIYqDubteCKSoK temp "V4IAAAAAAADC0bNIxKaIH7JYV6699fOJvEi=G+RF6TCJ4cJBvLhWQGV+654JtVSw9RvdA56j7BpPGG32Za88GKSdzyey6Po=U+nGtFhb=e7wiDqx2fcJ6T0TZmNts3=uKH88QK1UWGHjigPKSRB4PWg3jiKTMZnFR7NTeH1momxGZguqRAzVlOh592AargphGyo+5o0bx39Uoh=bwM0O3m98fsAejkmm2RUQQYJ7SaBQd2AYI3SCM3JiL4uSCVPlK9EQbhCdhjn18jyDNmVp=nuK5YLLhISwFc5R=1=aZDM16W+xB0orn3okLFvs5LNGDrwEOXIXtUie3KKPgemZolrAZ4v7K0ZKLtJTu6eOY1PBa1hRmDMN1AKj2eSiZLtYSreoRC1KgdcK9fDoJfZL2sr9vdxMwogKCGvnA21YGVVlLLagjp35=ybaIdWlP1A95msz7SyZLpFs6WoJTcvurViRPGgWsUEpMbIy=lV+EJ0T0U1gDSydtsuffYcxyDk2f2rJCr5eIxOrwlIJlIhkDfEcuO=NKfkJZ6efwNwAXIeMXQfUdpg5k2EUu+R6sWOBcnnQkWUXSpZGUildgjL0OS5TXsCs60oLHMcyuMzip2sq7287OnFB8kz7javL9LcxUn2p17wAb7tW2wX3dKRhzL0Lqp5O2Z7uAiOEqmwYES3Ddjlh8gw2vVL4l1Wz7p92=divAAUeWLUte=J2dShKCLJK6ApQ4ct2w6gAfmdSPtc6Ko8dnujq1f6xcOVqTT8FBpqfBy6jd+8TwC1y0ndtHA6+sFBhFD4HDZcvIlguChgzRyK5TKK7l4"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce aIYqDubteCKSoK "%APPDATA%\sevnz.exe"

The Trojan can be seen utilizing mshta.exe in order to run javascript as part of its infection process:

The infection is reported to the operators by using iplogger.info. The response is a PNG file containing a single pixel:

The following text file is displayed on the screen:

We received the following email after following the instructions in the text file:

As there was no transaction history for the Bitcoin address (12X4P7HVpuhP535uTkETecGvZrV7A7T3oL), it is safe to assume that multiple Bitcoin addresses are used rather than a single address.

The Trojan disabled our ability to reboot the system when run on WindowsXP:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Amnesia.RSM (Trojan)
  • GAV: Amnesia.RSM_2 (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.2 | S2MSW02