Welcome to our

Cyber Security News Aggregator

.

Cyber Tzar

provide a

cyber security risk management

platform; including automated penetration tests and risk assesments culminating in a "cyber risk score" out of 1,000, just like a credit score.

OphionLocker. New ransomware on the scene

published on 2014-12-09 19:46:00 UTC by Trojan7Malware
Content:





This malware was discovered by a honeypot triggered during a malvertising campaign. The campaign used the RIG exploit kit. 

Interesting features of this ransomware:
Uses elliptic curve cryptography for the encryption of files. (I believe this is the first ransomware to use such methods)
Spread using an EK all variants were FUD at time of discovery.
Price can be changed depending on geo-location, United States being the most expensive
No support for unicode at the moment, although that's likely to change.
Public keys are pre-packed in the malware and their corresponding private keys are generated server side and then sent once the ransom is paid.
Payment page is hosted on tor, making a shut down incredibly hard.

Extensions encrypted;
"accdb",0,".ai",0,".arw",0,".bay",0,".blend",0,".cdr",0,".cer",0,".cr2",0,".crt",0,".crw",0,".dbf",0,".dcr",0,".der",0,".dng",0,".doc",0,".docm",0,".docx",0,".dwg",0,".dxf",0,".dxg",0,".eps",0,".erf",0,".indd",0,".jpe",0,".jpg",0,".jpeg",0,".kdc",0,".mdb",0,".mdf",0,".mef",0,".mrw",0,".nef",0,".nrw",0,".odb",0,".odm",0,".odp",0,".ods",0,".odt",0,".orf",0,".p12",0,".p7b",0,".p7c",0,".pdd",0,".pdf",0,".pef",0,".pem",0,".pfx",0,".ppt",0,".pptm",0,".pptx",0,".psd",0,".pst",0,".ptx",0,".r3d",0,".raf",0,".raw",0,".rtf",0,".rw2",0,".rwl",0,".srf",0,".srw",0,".wb2",0,".wpd",0,".wps",0,".xlk",0,".xls",0,".xlsb",0,".xlsm",0,".xlsx",0,0" The same extensions both cryptolocker and torlocker use.

Once the files are encrypted payment is demanded by text files filling the desktop with the ransom notice. A 3 day timer begins, when this timer runs out the ransom fee increases. Bitcoin is once again the currency of choice and a US victim is charged $300 for the decryption key.

Strangely, the malware generates a HWID (HardWare Identification) number to ensure only one sample can be generated per PC, these can be blacklisted to prevent encryption if the actors deem it necessary.

Due to the fact that a public key is already present in the file encryption can begin without internet connectivity or user interaction. This makes stopping the infection before its too late significantly harder.


Samples, Hashes and Scans:
Scan: http://nodistribute.com/result/M3sGCPTit4eAK
Hash: e17da8702b71dfb0ee94dbc9e22eed8d
Sample:  THIS IS MALWARE http://bit.ly/1yMMRwf THIS IS MALWARE

Article: OphionLocker. New ransomware on the scene - published almost 10 years ago.

http://trojan7malware.blogspot.com/2014/12/ophionlocker-new-ransomware-on-scene.html   
Published: 2014 12 09 19:46:00
Received: 2023 03 31 23:02:32
Feed: Trojan7Malware
Source: Trojan7Malware
Category: Cyber Security
Topic: Cyber Security
Views: 1

Custom HTML Block

Click to Open Code Editor