On March 2, 2020, ASEC analysis team discovered a new ransomware that gets installed using Windows update screen. This ransomware uses the same packer as ransomware goes by the name of Bluecrab, Nemty, or Paradise for distribution, and the extension .rezm is added to the encrypted file.
Upon running the file, Fake Windows update file is downloaded and run from the addresses below. Then, a screen that pretends as Windows update screen pops up. When this happens, a ransomware is run and it starts infecting the user’s PC files.
The figure below shows a ransom note that is created under the name of _readme.txt.
Upon running the malware, RAPIT, the analysis team’s automatic analysis system, shows the process execution flow as below:
Externally downloaded files are created in the filepaths below, they perform features of granting the permission to the folder so that it does not get deleted. (Folder name is assumed to be variable for each user)
Granting access permission to malware creation folder
- icacls “C:\Users\%UserAccount%\AppData\Local\5a62d912-778b-4591-873d-4c9826534ff8” /deny *S-1-1-0:(OI)(CI)(DE,DC)
For more information, see the article below.
Users must take extra caution when opening a suspicious email or an attachment file and refrain from accessing untrusted websites.
AhnLab’s V3 products detect the ransomware under the following aliases:
- Malware/Win32.Generic (2020.03.02.01)