The Ransomware that almost was
A new ransomware family was snuffed in its crib today after security researchers tracked it down, analyzed its source code for weaknesses, and released a decrypter in less than 24 hours. So much for that strain!
Discovered by MalwareHunterTeam, first signs of this threat appeared yesterday evening when a spam campaign started distributing Word files that would download and install the ransomware on users' computers.
The ransomware, named Marlboro, comes with separate versions for 32-bit and 64-bit systems, which is the first time we've seen ransomware drop two separate installers depending on the target's architecture. Other malware, such as backdoor trojans, banking trojans, or PoS malware employ this technique quite often.
Marlboro's downloaders are fetched from free hosting accounts, which have been suspended in the meantime. Despite the usage of free hosting to store the Marlboro binaries, a researcher that wanted to remain anonymous said the "[spam] campaign was really well crafted," as the threat actor appeared to have more knowledge of spam distribution methods rather than malware coding.
Ransomware uses simplistic encryption
Marlboro uses XOR encryption to encrypt the user's files. All encrypted files will be renamed and will receive an extra ".oops" extension at the end. For example, a file named "image.png" will be renamed to "image.png.oops".
After the encryption process ends, the ransomware will drop and open a ransom note on the user's computer. This file is named "_HELP_Recover_Files_.html," pictured below.
The ransom note alleges that the Marlboro ransomware uses a strong combination of AES and RSA encryption to unlock the user's files. This is a lie.
The ransomware also drops a second file on the user's desktop, which is a decrypter created by the Marlboro author himself. This file's name is "deMarlboro,", which also gives the ransomware's name.
The decrypter works by checking the crook's server for a ransom payment and then starting the decryption process. The decrypter also contains a human operator challenge to block users from spamming the author's server with requests.
Free Marlboro decrypter available
To continue reading this article visit BleepingComputer.Com