SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


BleedGreen FireCrypt Ransomware Kit fails at DDoS (Jan 6th 2017)



Description


The Sonicwall Threats Research team has received reports of a new Ransomware named FireCrypt. It is created by a malware kit called BleedGreen. The kit is used to generate FireCrypt executables based on a limited set of options provided including DDoS of the Pakistan Telecommunication Authority website.

The Kit executable file uses the following icon:

The Kit, which requires .NET 4.0 to run uses the Windows Command Prompt as its configuration interface. It mentions its in-built features and provides an option to supply an icon to the generated malware executable:

Infection Cycle:

Once the generated file is run on the target machine it kills Task Manager if running and makes the following DNS Query:

  • www.pta.gov.pk

It is believed that the following communication to the Pakistan Telecommunication Authority website is part of an intended DDoS attack although it appears to be ineffective:

The Trojan scans the filesystem for files to encrypt. Javascript code that was found embedded in the executable file shows a list of file extensions that the malware looks for to encrypt using AES-256:

The Trojan adds the following files to the filesystem:

  • %USERPROFILE%\Start Menu\Programs\Startup\EkstrwhbiMZYosv.exe (copy of original) [Detected as GAV: FireCrypt.A (Trojan)]
  • %USERPROFILE%\Desktop\tFyROkGeXTevLgT-filesencrypted.html
  • %USERPROFILE%\Desktop\tFyROkGeXTevLgT-READ_ME.html
  • %USERPROFILE%\Local Settings\Temp\dbgRKSvXIYceWvY-(num).html x453 (where num is a number between 1 and 453)

tFyROkGeXTevLgT-filesencrypted.html contains a list of files that were encrypted by the Trojan.

tFyROkGeXTevLgT-READ_ME.html contains the following message:

As with most ransomware FireCrypt uses Bitcoin as its ransom payment method.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: FireCrypt.A (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.3 | S2MSW06