
A rather anonymous account reached out to me on Twitter asking to check out a “scary & really nasty” sample.
It turned out to be RedEye ransomware, a new strain or variant by the same creator of Annabelle ransomware, which I discovered in February earlier this year.
Analysis
This ransomware is named “RedEye” by the author “iCoreX“.
Properties:
- MD5: 832090ba6fe32a3c7c36dbd76f270215
- SHA1: 804b8e85f38de8b82a961401836ccec5880342e6
- SHA256: 1a8b7a6547b743ea01bb0ac057c91228c10dc8f99562ce2b06e25893161776bb
- Compilation timestamp: 2018-05-03 10:04:35
- VirusTotal report:
1a8b7a6547b743ea01bb0ac057c91228c10dc8f99562ce2b06e25893161776bb
- child.wav
- redeye.wav
- suicide.wav
- MD5: 878a10cda09fec2cb823f2b7138b550e
- SHA1: db44dae60c12853cdbe62ec9f7b3493a897e519a
- SHA256: f96ed49ab1a5b4e2333fee30c42b2ae28dc5bc74fa02b9c6989e5c0159cfffd7
- Compilation timestamp (Delphi): 1992-06-19 22:22:17
- Compilation timestamp (Actual): 2018-06-04 14:23:36
- VirusTotal report:
f96ed49ab1a5b4e2333fee30c42b2ae28dc5bc74fa02b9c6989e5c0159cfffd7
Figure 1 – RedEye Ransomware |
All your personal files has been encrypted with an very strong key by RedEye!
(Rijndael-Algorithmus – AES – 256 Bit)
The only way to get your files back is:
– Go to http://redeye85x9tbxiyki.onion/tbxIyki – Enter your Personal ID
and pay 0.1 Bitcoins to the adress below! After that you need to click on
“Check Payment”. Then you will get a special key to unlock your computer.
You got 4 days to pay, when the time is up,
then your PC will be fully destroyed!
- Show encrypted files
- Decrypt files
- Support
- Destroy PC
Figure 2 – MBR lock screen |
The message reads as follows:
RedEye Terminated your computer!
The reason for that could be:
– The time has expired
– You clicked on the ‘Destroy PC’ button
There is no way to fix your PC! Have Fun to try it 🙂
My YouTube Channel: iCoreX <- :p="" br="" subscribe="">->Add me on discord!iCoreX#3333 <- account="" amp="" annabelle="" by="" creator="" discord.="" discord="" got="" i="" icorex="" jigsaw="" my="" named="" of="" old="" ransomware="" redeye="" terminated="">->
The author, iCoreX, claims to have created Jigsaw, Annabelle, and now the RedEye ransomware – whether the former is true or not, I’ll leave in the middle.
Details on the ransomware:
Extension: .RedEye
BTC Wallet: 1JSHVxXnGDydVXVamFW9AEmk3vk8cF8Vuj
Payment portal: (currently offline): http://redeye85x9tbxiyki[.]onion
If tools such as the registry editor are not working, run Rkill in safe mode first.
Then, Restore the MBR, and reinstall Windows.
You may also try to restore the MBR first, and consequently attempt to restore files using Shadow Volume Copies. For example, a tool such as Shadow Explorer can be of assistance, or read the tutorial here.
If that doesn’t work either, you may try using a data recovery program such as PhotoRec or Recuva
IOCs
*** This is a Security Bloggers Network syndicated blog from Blaze's Security Blog authored by Bart. Read the original post at: https://bartblaze.blogspot.com/2018/06/redeye-ransomware-theres-more-than.html