Amnesia ransomware continues high payment trend

The SonicWall Capture Labs Threat Research team have recently observed a ransomware threat known as Amnesia. As predicted previously by Sonicwall, the trend of increasing the ransom payment demand has continued. This time last year, ransom demands only averaged a few hundred US dollars for file decryption. Most ransomware today have increased this amount to around 1 Bitcoin ($2629 at the time of writing this alert) as is the case here with the Amnesia ransomware.

Infection Cycle:

The Trojan makes the following DNS request:

• iplogger.info

The Trojan adds the following files to the filesystem:

• %APPDATA%sevnz.exe (copy of original file)
• IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT (copied into every directory containing encrypted files)

All files that have been encrypted use the following filenaming convention:

• {encrypted filename}.

The Trojan adds the following keys to the registry, the first of which is a unique ID for the infection:

• HKEY_CURRENT_USERSoftwareaIYqDubteCKSoK temp "V4IAAAAAAADC0bNIxKaIH7JYV6699fOJvEi=G+RF6TCJ4cJBvLhWQGV+654JtVSw9RvdA56j7BpPGG32Za88GKSdzyey6Po=U+nGtFhb=e7wiDqx2fcJ6T0TZmNts3=uKH88QK1UWGHjigPKSRB4PWg3jiKTMZnFR7NTeH1momxGZguqRAzVlOh592AargphGyo+5o0bx39Uoh=bwM0O3m98fsAejkmm2RUQQYJ7SaBQd2AYI3SCM3JiL4uSCVPlK9EQbhCdhjn18jyDNmVp=nuK5YLLhISwFc5R=1=aZDM16W+xB0orn3okLFvs5LNGDrwEOXIXtUie3KKPgemZolrAZ4v7K0ZKLtJTu6eOY1PBa1hRmDMN1AKj2eSiZLtYSreoRC1KgdcK9fDoJfZL2sr9vdxMwogKCGvnA21YGVVlLLagjp35=ybaIdWlP1A95msz7SyZLpFs6WoJTcvurViRPGgWsUEpMbIy=lV+EJ0T0U1gDSydtsuffYcxyDk2f2rJCr5eIxOrwlIJlIhkDfEcuO=NKfkJZ6efwNwAXIeMXQfUdpg5k2EUu+R6sWOBcnnQkWUXSpZGUildgjL0OS5TXsCs60oLHMcyuMzip2sq7287OnFB8kz7javL9LcxUn2p17wAb7tW2wX3dKRhzL0Lqp5O2Z7uAiOEqmwYES3Ddjlh8gw2vVL4l1Wz7p92=divAAUeWLUte=J2dShKCLJK6ApQ4ct2w6gAfmdSPtc6Ko8dnujq1f6xcOVqTT8FBpqfBy6jd+8TwC1y0ndtHA6+sFBhFD4HDZcvIlguChgzRyK5TKK7l4"
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce aIYqDubteCKSoK "%APPDATA%sevnz.exe"

The Trojan can be seen utilizing mshta.exe in order to run javascript as part of its infection process:

The infection is reported to the operators by using iplogger.info. The response is a PNG file containing a single pixel:

The following text file is displayed on the screen:

We received the following email after following the instructions in the text file:

As there was no transaction history for the Bitcoin address (12X4P7HVpuhP535uTkETecGvZrV7A7T3oL), it is safe to assume that multiple Bitcoin addresses are used rather than a single address.

The Trojan disabled our ability to reboot the system when run on WindowsXP:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

• GAV: Amnesia.RSM (Trojan)
• GAV: Amnesia.RSM_2 (Trojan)