CryptoBot ransomware virus surrenders its victims via Twitter

Ransomware viruses that encrypt user files, demanding money for decryption, have been terrorizing the Internet for years. However, this October they raged in earnest - apparently, having made a new evolutionary leap in the field of automation. Earlier this month, employees of the largest Australian broadcaster ABC, as well as the postal and other public services of the country, were subjected to mass infection with crypto-fiber. In the middle of the month, more than 100,000 Americans were infected with a ciphering virus through banner ads that were featured on YouTube.

Well, in the last days of October there was an activation of a dangerous cryptographer in the Russian segment of the Internet. Users receive a malicious file in the mail, which is a 2.5 KB obfuscated JavaScript file (MD5 ea834605f6bee2d4680aae0936655a30). When launched, the trojan downloads from the Internet and launches additional components:
')


The description of the virus is present on Virustotal , the deobfuscated version of the script is also given there in the comments. You may notice that the file was repeatedly uploaded to the resource on October 29 and 30, 2014:



And this is what the names of the infected files that come in the mail look like - basically they depict business documents, moreover they are supposedly scanned by antivirus (Avast.Scanned.OK)



After the user opens the attached file and runs the malicious script, it is informed that his documents, photos, databases, and other important files "were encrypted using the RSA-1024 cryptographic algorithm."



Next, the user is offered detailed instructions for saving their digital assets, which comes down to the following set of actions:

1. Your files are encrypted. Send us an email with KEY and UNIQUE within 24 hours.
2. Found KEY.PRIVATE and UNIQUE.KEY on your PC, took a couple of encrypted files - sent to mail paycrypt@gmail.com
3. After some time, you will receive a response with guarantees, instructions and cost. Visit our Twitter. See what everyone gets the keys. After payment, you get the decryption key, software and instructions for decryption.

The most interesting part of this manual is paragraph 3, which contains a Twitter account that publicly discloses information about the email addresses of victims of attacks. This not only allows you to continue to monetize (for example, by sending spam to the addresses of victims, some of which indicated service e-mail addresses), but it can also cause significant damage to the reputation of the victims.

In particular, some researchers have already started analyzing the list of victims - among them were many IT companies, including those that are themselves engaged in information security.

Like most e-mail attacks, in this case versions of malware were used, which at the time of the attack were not detected by most antiviruses. In this regard, experts from Positive Technologies advise not to open letters with incomprehensible attachments - even from familiar recipients. And at the infrastructure level, in addition to anti-virus solutions, it is recommended to use specialized sandboxes for checking incoming mail, as well as to limit the receipt of email attachments containing executable code, including in archives.