Rewterz Threat Alert – “Lost Files” Data Wiper Ransomware Getting Paid Without Recovering Files

Severity

High

Analysis Summary

A malicious file masquerading as Windows Security Scanner is being distributed via spam and demands a ransom despite corrupting files and making them unrecoverable. The file is delivered by a link in an email claiming that a virus has been detected on the victim’s computer and they need to run a security scanner. The link leads to the download of a ZIP archive containing the main payload and several additional executable in a hidden folder. The malware attempts to distract the victim with a fake installation progress bar. In the background, files in the Users folder are targeted by the supposed ransomware. However, instead of implementing an encryption algorithm like most ransomware, this malware removes the first line of targeted files. The method used by the ransomware author to do this ends up corrupting any binary files. Because of this, the malware acts more like a wiper than ransomware, so paying the requested ransom will not result in a decryption key capable of recovering files.

Impact

File encryption

Indicators of Compromise

MD5

b594412c00331c12d15d9e18c02a778a

SH256

02629729329cde8d1892afa1d412a75cfcc338826c0b5087a2ef3182b5a1af85

SHA1

697301b4aee6fd89bb655025d772b68ddc2756be

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.