Ransomware Disguised as Password Cracker (Extension Changed to .NS1419)
The AhnLab SEcurity intelligence Center (ASEC) recently discovered ransomware being distributed disguised a password cracker tool. Such tools are typically used in brute force attacks. Brute force attacks involve by trying every possible combination to find the correct password. Attackers repeatedly attempt to breach a system’s authentication procedure to steal passwords. This method is particularly effective against accounts with weak or short passwords, and it can be performed quickly using automated tools. Attackers distribute ransomware in the form of crack tools or hacking tools commonly sought by security researchers or hackers to lower users’ guard and increase the chances of infection. Users must remain extra vigilant.
The recently discovered ransomware is created with PyInstaller and disguised as a tool that steals passwords by prompting users to enter their username and email, as shown in Figure 1. PyInstaller allows you to convert programs written in Python to executable files (e.g., EXE).
Figure 1. Ransomware disguised as password cracker
Once the user enters a Username and Email, then selects “Run as Admin” and clicks “START HACK (Admin Only)”, the fake cracker displays a message in the terminal output window, saying that the password cracking process has begun. However, it initiates a connection to a specific URL to retrieve what appears to be a key—further reinforcing the illusion of legitimacy. If the operating system is Windows, the default directory path is “C:\”. Otherwise, it is set to “/home”.
Figure 2. Ransomware disguised as password cracker
Figure 3. Ransomware disguised as password cracker
The file encryption method is the AES-256 algorithm in CFB mode. As key-related information is not stored or transmitted to the threat actor, even if the victim follows the instructions in the ransom note and sends Bitcoin to the threat actor, it is practically impossible to recover the encrypted files. The generated ransom note (snapReadme.txt) is shown below, which demands Bitcoin.
Figure 4. CFB mode of the AES-256 algorithm
Figure 5. Ransom note
The file extensions that are encrypted are shown in Table 1. If the file path contains the string “Program Files” or “Windows”, it is excluded from the encryption. Additionally, if a ransom note file named “snapReadme.txt” does not exist in the directory, it is created.
Figure 6. Defining extension and creating ransom note
| .data | .epub | .gif | .md | .sql | .jpg | .rar | .txt |
| .mdb | .doc | .odp | .tar | .bmp | .htm | .sqlite | |
| .gz | .csv | .zip | .rtf | .ppt | .html | .accdb | .docx |
| .xlsm | .json | .ini | .xlsx | .png | .odt | .log | .db |
| .tsv | .ods | .bak | .pptx | .jpeg | .xls | .xml |
Table 1. Extensions
Files with the designated extensions are read, and if the file is not “snapReadme.txt” (ransom note), its data is read and encrypted. The encrypted data is saved in a new file with the extension “.NS1419” added to the original file name, and the original file is deleted after the data is saved. Messages are displayed in the terminal output window depending on whether the encryption is successful or not. This is done to disguise the ransomware as a brute-force attack to guess passwords.
Figure 7. File encryption
Figure 8. File encryption
When all target files are encrypted, the following message is displayed in the terminal output: “Snapchat is hacked… Please read snapReadme.txt!”. This is a message prompting the victim to read the ransom note.
Figure 9. Ransomware disguised as password cracker
Ransomware disguised as popular password cracking tools is designed to minimize user suspicion and encourage execution, significantly increasing the risk of infection. Therefore, it is crucial to exercise caution. Programs offered on websites with unreliable sources should not be installed. Instead, software should be safely installed through official websites or trusted sources.
