Vietnamese ransomware wants you to add credit to a mobile phone
In this quick blog post we’ll have a look at BKRansomware, a Vietnamese ransomware that wants you to top up its phone.
Update: 2018-05-06, scroll down for the update, added to the conclusion.
Analysis
This ransomware is named “BKRansomware” based on the file name and debug path. Properties:
- MD5: 892da86e60236c5aaf26e5025af02513
- SHA1: 6f36c02161a83a3683921fc73319474157f4fb92
- SHA256: c23f695a19346bf3a5b21fb5a281771808953930d8dcb0a359f163ba0329305f
- Compilation timestamp: 2018-05-03 10:04:35
- VirusTotal report:
c23f695a19346bf3a5b21fb5a281771808953930d8dcb0a359f163ba0329305f
Figure 1 – Ransom message |
The ransomware message is very brief, and displays:
send 50k viettel to 0963210438 to restore your data
Viettel is a form of credit for mobile phones, used in Vietnam and neighboring countries. It is part of “Viettel Group” (Tập đoàn Công nghiệp Viễn thông Quân đội in Vietnamese), a mobile network operator in Vietnam. (Wiki link).
.txt, .cpp, .docx, .bmp, .doc, .pdf, .jpg, .pptx, .png, .c, .py, .sql
Encrypted files will have the .hainhc extension appended. Fun note: files aren’t actually encrypted, but encoded with ROT23. For example, if you have a text file which says “password”, the new content or file will now have “mxpptloa” instead.
C:\Users\Gaara\Documents\Visual Studio 2013\Projects\BKRansomware-20180503T093651Z-001\BKRansomware\Release\BKRansomware.pdb
https://whitehat.vn/members/hainhc.59556/
Update: it appears this is a ransomware supposedly used for testing purposes, for both coding and testing VirusTotal detections. However, there seems to be a lot of “testing” going on, including keyloggers. Draw your own conclusions.
IOCs
*** This is a Security Bloggers Network syndicated blog from Blaze's Security Blog authored by Bart. Read the original post at: https://bartblaze.blogspot.com/2018/05/vietnamese-ransomware-wants-you-to-add.html