A new ransomware called CommonRansom was discovered that has a very bizarre request. In order to decrypt a computer after a payment is made, they require the victim to open up Remote Desktop Services on the affected computer and send them admin credentials in order to decrypt the victim’s files. Yup you read that right, lets give access to an infected machine over RDP! Just brilliant……………………………
When encrypting a victim’s computer, it will append the .[firstname.lastname@example.org].CommonRansom extension to encrypted files. It will also create a ransom note named DECRYPTING.txt, which is displayed below.
In this ransomware’s bizarre request, the attacker is telling victims to pay 0.1 btc and then send an email to email@example.com with the following information:
1. This ID-[VICTIM_ID] 2. [IP_ADDRESS]:PORT(rdp) of infected machine 3. Username:Password with admin rights 4. Time when you have paid 0.1 btc to this bitcoin wallet: 35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF
This is where it is crazy, sure Mr Cyber criminal who I trust 100% sure go ahead and have admin rights in my environment!
While we have not been able to find a sample of the actual ransomware as of yet, the one ransom note we have seen is utilizing the 35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF bitcoin address, which has seen some activity in the past.
Of particular interesting is a transaction of 65 bitcoins being sent from this address to the 1CnCfvUTFQf11QNeBEpk29rRXfNFg75R9n bitcoin address, which has received over 11,000 bitcoin addresses. The 1CnCfvUTFQf11QNeBEpk29rRXfNFg75R9n address could be used as a mixer to make it harder to law enforcement to track these bitcoins.
When we locate a sample of this ransomware, we will update this article with more information.
Ransom Note Text:
+-----------------------+ ¦----+CommonRansom+-----¦ +-----------------------+ Hello dear friend, Your files were encrypted! You have only 12 hours to decrypt it In case of no answer our team will delete your decryption password Write back to our e-mail: firstname.lastname@example.org In your message you have to write: 1. This ID-[VICTIM_ID] 2. [IP_ADDRESS]:PORT(rdp) of infected machine 3. Username:Password with admin rights 4. Time when you have paid 0.1 btc to this bitcoin wallet: 35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF After payment our team will decrypt your files immediatly Free decryption as guarantee: 1. File must be less than 10MB 2. Only .txt or .lnk files, no databases 3. Only 5 files How to obtain bitcoin: The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/