SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


InsaneCrypt ransomware spotted in the wild.



Description


The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of InsaneCrypt Ransomware [InsaneCrypt.RSM] actively spreading in the wild.

InsaneCrypt encrypts the victims files with a strong encryption algorithm, replaces the partition table of the system drive in some manner until the victim pays a fee to get them back.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe

    • %Userprofile%\Desktop\ How_decrypt_files.txt

Once the computer is compromised, the Malware starts searching for document files.

The Malware overwrites the computer's partition table to avoid targets to recover their system drive:

The Malware uses following public key for its own encryption:

While Malware.exe is encrypting files, it will encrypt all files and append the .Insane extension onto each encrypted file's filename.

After Malware encrypts all personal documents it generates a text file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

After our analysis we have noticed that the Malware does not provide a way to input a key or UID to restore the partition table. It is currently unclear whether InsaneCrypt is yet another wiper masquerading as ransomware or if it is just poorly coded malware.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: InsaneCrypt.RSM (Trojan)




Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2018 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.20 | S2MSW02