The worlds dumbest ransomware!

Posted by

CommonRansom Header

A new ransomware called CommonRansom was discovered that has a very bizarre request. In order to decrypt a computer after a payment is made, they require the victim to open up Remote Desktop Services on the affected computer and send them admin credentials in order to decrypt the victim’s files. Yup you read that right, lets give access to an infected machine over RDP! Just brilliant……………………………

CommonRansom was discovered by Michael Gillespie after a victim uploaded a ransom note and an encrypted file to his ID Ransomware service.

When encrypting a victim’s computer, it will append the .[old@nuke.africa].CommonRansom extension to encrypted files. It will also create a ransom note named DECRYPTING.txt, which is displayed below.

CommonRansom Ransom Note
Redacted CommonRansom Ransom Note

In this ransomware’s bizarre request, the attacker is telling victims to pay 0.1 btc and then send an email to old@nuke.africa with the following information:

1. This ID-[VICTIM_ID]
2. [IP_ADDRESS]:PORT(rdp) of infected machine
3. Username:Password with admin rights
4. Time when you have paid 0.1 btc to this bitcoin wallet:
35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF

This is where it is crazy, sure Mr Cyber criminal who I trust 100% sure go ahead and have admin rights in my environment!

While we have not been able to find a sample of the actual ransomware as of yet, the one ransom note we have seen is utilizing the 35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF bitcoin address, which has seen some activity in the past.

Bitcoin Transactions
Bitcoin Transactions

Of particular interesting is a transaction of 65 bitcoins being sent from this address to the 1CnCfvUTFQf11QNeBEpk29rRXfNFg75R9n bitcoin address, which has received over 11,000 bitcoin addresses. The  1CnCfvUTFQf11QNeBEpk29rRXfNFg75R9n address could be used as a mixer to make it harder to law enforcement to track these bitcoins.

When we locate a sample of this ransomware, we will update this article with more information.

 

IOCs

Associated Files:

DECRYPTING.txt

Ransom Note Text:

+-----------------------+
¦----+CommonRansom+-----¦
+-----------------------+
Hello dear friend,
Your files were encrypted!
You have only 12 hours to decrypt it
In case of no answer our team will delete your decryption password
Write back to our e-mail: old@nuke.africa


In your message you have to write:
1. This ID-[VICTIM_ID]
2. [IP_ADDRESS]:PORT(rdp) of infected machine
3. Username:Password with admin rights
4. Time when you have paid 0.1 btc to this bitcoin wallet:
35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF


After payment our team will decrypt your files immediatly


Free decryption as guarantee:
1. File must be less than 10MB
2. Only .txt or .lnk files, no databases
3. Only 5 files


How to obtain bitcoin:
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s