A new form of ransomware attempts to trick victims into installing it with the lure of quickly profiting from cryptocurrency — before encrypting their files and demanding Monero for the decryption key.
‘SpriteCoin’ is advertised on forums as a new cryptocurrency which is “sure to be profitable” for users — when it is anything but. Those who fall for the scam — which is likely to have been designed to take advantage of the publicity around bitcoin and the blockchain — will find their Windows system infected with ransomware.
To add insult to injury, if the user infected user pays the 0.3 Monero (around $100 at the time of writing) ransom, they’re delivered additional malware with capabilities that certificate harvesting, image parsing, and the ability to activate the victim’s webcam.
Uncovered by researchers at Fortinet, SpriteCoin is advertised on forums and requires a degree of social engineering in order to successfully compromise targets. While many forms of ransomware are delivered through phishing emails, this form is delivered as a cryptocurrency wallet which the user is told contains SpriteCoin.
It’s one of the oldest cybercriminal tricks in the book: luring victims in with the prospect of a get quick rich scheme.
Once the user runs the .exe file, they’re asked to enter a wallet password, before being told that the file is downloading the blockchain. In reality, this isn’t happening at all: the ransomware is running the encryption routine, adding a ‘.encrypted’ suffix to any affected files.
The user’s Chrome and Firefox credential stores are raided during this process and sent to a remote website, likely putting passwords in the hands of the attackers.
Once the process is complete, the victim is presented with a ransom note, demanding a 0.3 Monero payment in order to retrieve their files. The note contains links to information about what Monero is, how to purchase it, and how to pay, as well as a warning that if the program is deleted the files will remain decrypted forever.
The ransom figure is low compared to many forms of ransomware, which now often demand payments of hundreds or thousands of dollars. It could be that the attackers ask for a relatively low ransom demand because SpriteCoin is a test for new ransomware delivery mechanisms.
“In this instance, it seems like the intent was not just about money. What we infer is that the intent is not about the amount of money, but possibly about proof of concept or testing new delivery mechanisms, and to see how many people would fall for it,” Tony Giandomenico, senior security researcher at Fortinet FortiGuard Labs, told ZDNet.
“This is very similar to when attackers would test to see how effective or fast a worm would spread before really launching it. This could be the same concept.”
Those behind the SpriteCoin ransomware attempt to offer the victim assurance that payment will result in the return of their files because “if we didn’t, you could tell others not to pay”, adding: “so trust us, will return your files”.
However, it seems unlikely that victims will actually get their documents back. If they do decide to pay up for the decryption key, what they actually receive is additional malware with the ability to activate webcams and parse certificates.
“The note is really encouraging the victim to ‘initiate payment of the ransom’ in order to get the secondary malicious payload dropped,” said Giandomenico.
While researchers haven’t been able to fully analyse this malware, it’s unlikely that suffering from additional compromises can be anything but bad for the victim.
SpriteCoin isn’t the first form of ransomware to ask for payment in Monero. The popularity of bitcoin — and the associated increase in transaction fees and delays receiving payments — is causing problems for cybercriminals who use it to collect ransom demands.
As a result, some ransomware distributors are shifting their business model away from bitcoin and to other cryptocurrencies like Monero.
RECENT AND RELATED COVERAGE
‘Magniber’ ransomware could potentially be an experiment by people behind the Cerber ransomware family.
New payload bundled within Necurs botnet attacks allows those carrying out malicious campaigns to check if they’re working and improve updates.
Attackers behind new ransomware campaign are offering a “really easy” tutorial video in order to ensure they make money from their criminal activities.