PSCrypt is ransomware first discovered last year, in 2017, targeting users and organisations alike in Ukraine, and the malware itself is based on GlobeImposter ("GI") ransomware.I've written about PSCrypt in the past, when it was distributed via Crystal Finance Millenium's hacked website: Crystal Finance Millennium used to spread malwareIn this quick blog post, we'll take a look at the latest iteration of PSCrypt.AnalysisA file named "xls.scr", which sports a fancy "energy" or "power" icon is responsible for loading PSCrypt on the machine, and was spread via a phishing campaign.Figure 1 - IconThe ransomware has the following properties:MD5: aec5498f95a19ac143534283592544b4SHA1: 351d043a0955714031d1989e00d9fe3b84eaa823SHA256: 43584bfb791047af592c883b8707289137082f024a851b082762d3100f1f0941Compilation timestamp: 2018-04-24 00:15:26VirusTotal report:43584bfb791047af592c883b8707289137082f024a851b082762d3100f1f0941As mentioned earlier, PSCrypt is based on GlobeImposter and as such, has very similar functionality.The following folders are excluded from being encrypted:Avast, Avira, COMODO, Chrome, Common Files, Dr.Web, ESET, Internet Explorer, Kaspersky Lab, McAfee, Microsoft, Microsoft Help, Microsoft Shared, Microsoft.NET, Movie Maker, Mozilla Firefox, NVIDIA Corporation, Opera, Outlook Express, ProgramData, Symantec, Symantec_Client_Security, Windows, Windows App Certification Kit, Windows Defender, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows NT, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Wsus, YandexBrowser, ntldr, spytech software, sysconfig, system volume informationThis iteration of PSCrypt will encrypt all files, including executables, except those files with the following extensions:.$er,.4db,.4dd,.4d,.4mp,.abs,.abx,.accdb,.accdcAs usual, a temporary batch file will be used to clear Volume Shadow Copies as well as Event Logs:Figure 2 - Batch fileWhat's new in this iteration of PSCrypt is not only the changes implemented by/via GlobeImposter ransomware, but also the ransom note itself, as noted in Figure 3 and 4 below:Figure 3 - Ransomware note, part 1Figure 4 - Ransomware note, part 2The title of the ransom note is "Ваші файли тимчасово зашифрувати! Не хвилюйтесь!", which translates to "Your files are temporarily encrypted! Do not worry!".The Ukrainian version is rather lenghty, and is as follows:☠ ВАШІ ФАЙЛИ ТИМЧАСОВО НЕДОСТУПНІ.☠ВАШІ ДАНІ БУЛИ ЗАШІВРОВАННИ!Для відновлення даних потрібно дешифратор.Щоб отримати дешифратор, ви повинні, оплатити послуги розшифровки:Оплата відбувається за коштами біткойн на кошелек № 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9Вартість послуги складає 150$Оплату можна провести в терміналі IBox. або виберіть один з обмінних сайтів на сторінці - https://www.bestchange.ru/privat24-uah-to-bitcoin.html (приклад обмін Приват24 на BTC) також можете скористатися послугами https://e-btc.com.uaДодаткова інформація:Програма можемо дешифрувати один файл як доказ того, що у неї є декодер. Для цього необхідно надіслати зашифрований файл - вагою не більше 2 mb, и ваш уникальный идентификационный код, на пошту: systems32x@gmail.comБолее детальная инструкция по оплате: https://btcu.biz/main/how_to/buyУвага!Всі файли розшифровуються тільки після 100% оплатиВи дійсно отримуєте дешифратор після оплатиНе намагайтеся видалити програму або запустити антивірусні інструменти це може ускладнити вам роботуСпроби самодешіфрованія файлів приведуть до втрати ваших данихДекодери інших користувачів не сумісні з вашими даними, оскільки унікальний ключ шифрування кожного користувача.За запитом користувачів, надаємо контакти клієнтів, які вже користувалися послугами нашого сервісу.ОБОВ'ЯЗКОВО ЗАПИШІТЬ РЕЗЕРВНІ КОНТАКТИ ДЛЯ ЗВ'ЯЗКУ:systems32x@gmail.com - основнийsystems32x@yahoo.com - резервнийДодаткові контакти:systems32x@tutanota.com - (якщо відповіді не прийшло після 24-х годин)help32xme@usa.com - (якщо відповіді не прийшло після 24-х годин)Additional.mail@mail.com - (якщо відповіді не прийшло після 24-х годин)З повагоюUnlock files LLC33530 1st Way South Ste. 102Federal Way, WA 98003United StatesGoogle Translation, so pretty loose - I've made some minor corrections however:☠ YOUR FILES ARE TEMPORARILY UNAVAILABLEYOUR DATA WAS LOCKED!To restore data you need a decoder.To receive a decoder, you must pay for decoding services:Payment is made at the expense of bitcoin to wallet number 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9Service cost is $ 150Payment can be made at the terminal IBox. or select one of the exchange sites on the page - https://www.bestchange.ru/privat24-uah-to-bitcoin.html (example exchange of Privat24 to the BTC), you can also use the services of https://e-btc.com.ua.Additional Information:The program can decrypt one file as proof that it has a decoder. To do this, you need to send an encrypted file weighing no more than 2 mb and your unique identification code by mail: systems32x@gmail.comMore detailed payment instructions: https://btcu.biz/main/how_to/buyWARNING!All files are decrypted only after 100% paymentYou really get a decoder after paymentDo not try to uninstall a program or run antivirus tools, which can complicate your workAttempts to self-decrypt files will result in the loss of your dataOther users' decoders are not compatible with your data, as the unique encryption key for each user.At the request of users, we provide contact with customers who have already used the services of our service.MUST REQUEST BACK TO CONTACTS FOR CONNECTION:systems32x@gmail.com - basicsystems32x@yahoo.com - backupAdditional contacts:systems32x@tutanota.com - (if the answer did not arrive after 24 hours)help32xme@usa.com - (if the answer did not arrive after 24 hours)Additional.mail@mail.com - (if the answer did not arrive after 24 hours)The English version is rather short and to the point:ALL DATA IS ENCRYPTED!For decoding, write to the addresses:systems32x@gmail.com - Basic systems32x@yahoo.com - backup Additional contacts: systems32x@tutanota.com - (if the answer did not arrive after 24 hours) help32xme@usa.com - (if the answer did not arrive after 24 hours) Additional.mail@mail.com - (if the response did not arrive after 24 hours) The cost for restoring service is, interestingly enough, expressed in US dollars this time ($150), as opposed to Ukrainian currency in a previous iteration.However, the images which included IBox instructions (as payment method) have been removed, and while IBox is still suggested as a service, there's also a new website introduced to pay via Bitcoin using E-BTC. E-BTC is a Ukrainian service which is "the most reliable and simple service for buying and selling Bitcoins and also the best partner for entering and withdrawing funds to the WEX stock exchange."It also promises full anonymity.Back to the ransomware. Encrypted files will have the .docs extension appended, for example Jellyfish.jpg becomes Jellyfish.jpg.docs.Ransom note: .docs document.htmlBTC Wallet: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9Emails: systems32x@gmail.com, systems32x@yahoo.com, systems32x@tutanota.com, help32xme@usa.com, Additional.mail@mail.comExtension: .docsFortunately, it appears no payments have been made as of yet: 1EoWxYTt7xCskTxjm47E2XNxgkZv1anDP9ConclusionThe last iteration of PSCrypt was observed in 2017, but it appears it has now returned to try and coerce users and organisations to pay the ransomware.As usual, follow the prevention tips here to stay safe, but the rule of thumbs are as always:Do not pay, unless there is imminent danger of lifeCreate regular backups, and do not forget to test if they workIOCs follow below.IOCs