Saturday, May 5, 2018

Vietnamese ransomware wants you to add credit to a mobile phone


In this quick blog post we'll have a look at BKRansomware, a Vietnamese ransomware that wants you to top up its phone.

Update: 2018-05-06, scroll down for the update, added to the conclusion.


Analysis

This ransomware is named "BKRansomware" based on the file name and debug path. Properties:

BKRansomware will run via command line and displays the following screen:

Figure 1 - Ransom message

The ransomware message is very brief, and displays:

send 50k viettel to 0963210438 to restore your data

Viettel is a form of credit for mobile phones, used in Vietnam and neighboring countries. It is part of "Viettel Group" (Tập đoàn Công nghiệp Viễn thông Quân đội in Vietnamese), a mobile network operator in Vietnam. (Wiki link). 

As such, it appears the creators are in desperate need of more credit so they can make calls again :)


It only encrypts a small amount of extensions:


Figure 2 - extensions to encrypt

The list is as follows:

.txt, .cpp, .docx, .bmp, .doc, .pdf, .jpg, .pptx, .png, .c, .py, .sql

Encrypted files will have the .hainhc extension appended. Fun note: files aren't actually encrypted, but encoded with ROT23. For example, if you have a text file which says "password", the new content or file will now have "mxpptloa" instead.

Noteworthy is the debug path: 

C:\Users\Gaara\Documents\Visual Studio 2013\Projects\BKRansomware-20180503T093651Z-001\BKRansomware\Release\BKRansomware.pdb

The extension mentioned above, "hainhc" may refer to the following handle or persona on Whitehat VN, a Vietnamese Network security community:
https://whitehat.vn/members/hainhc.59556/



Conclusion

While BKRansomware is not exactly very sophisticated, it is able to encrypt (or rather encode) files, and is unique in the sense that it asks you to top up a mobile phone.

Update: it appears this is a ransomware supposedly used for testing purposes, for both coding and testing VirusTotal detections. However, there seems to be a lot of "testing" going on, including keyloggers. Draw your own conclusions.

Follow the prevention tips here to stay safe.



IOCs


4 comments:

  1. It's my demo project, to test AV technology in virustotal site. I don't use it to attack anyone, change your title, please. ( sorry for my english)

    ReplyDelete
    Replies
    1. I will amend the title. Thanks for your feedback.

      Delete
  2. It is not writen to attack any user. It is just a demo for ransomware in our course. Please change your title of post.

    ReplyDelete
  3. Learning a lot? don't you? C:\Users\Gaara\Documents\Visual Studio 2013\Projects\BKRansomware-20180503T093651Z-001\BKRansomware\Release\BKRansomware.pdb
    C:\Users\Gaara\Desktop\Debugme\Release\DebugMe.pdb
    c:\Users\Gaara\Desktop\Transfer\Transfer\obj\Release\Transfer.pdb
    C:\Users\Gaara\documents\visual studio 2013\Projects\Explorer\Release\Explorer.pdb
    C:\Users\Gaara\Documents\Visual Studio 2013\Projects\KeyLog\Release\KeyLog.pdb
    c:\users\gaara\documents\visual studio 2013\Projects\BKRansomware\Release\BKRansomware.pdb
    C:\Users\Gaara\Documents\Visual Studio 2013\Projects\BKRansomware-20180503T093651Z-001\BKRansomware\Release\BKRansomware.pdb
    c:\Users\Gaara\Documents\Visual Studio 2013\Projects\Ethereum\Transfer\obj\Release\Transfer.pdb

    sha1
    2fdab5d7bfea65ac98ad8a55ee752361a2787f52
    6f36c02161a83a3683921fc73319474157f4fb92
    239a496fd521708b539bd23a7ed0b7b4c2764b60
    cac363b909160b0c1b6e7b0156ad800aa7e568e1
    9135cd7cebefdb79ef6fc21d5fdea5b170689508
    f44fd9be23a262bd4cd273c7fe714b9ad2c2f508
    eb5e0506dd6ba21d46921e9543b7b9d3270ded82
    7e2749ca4a5334ac6654ad65dd4a19586e951970
    83a1ce623fc975c3dcd3f4e902d05f93c58a16f7

    ReplyDelete