Zapium Ransomware increases pressure to pay up!

The SonicWall Capture Labs Threat Research Team have observed a variant of the Jigsaw Ransomware trojan in the wild called Zapium. Like most ransomware there is a time limit after which files are permanently lost. We have observed the Jigsaw ransomware as having a limit of around one hour. However, Zapium will delete one file every 5 minutes thus increasing the pressure to act!

Infection Cycle:

Upon execution the Trojan encrypts files on the system then displays the following message:

• %AppData%LocalDrpbxdrpbx.exe
• %AppData%RoamingFrfxfirefox.exe
• %AppData%RoamingSystem32WorkAddress.txt (bitcoin address to send payment to)
• %AppData%RoamingSystem32Workdr (contains text: "21")
• %AppData%RoamingSystem32WorkEncryptedFileList.txt (list of files encrypted)

The Trojan adds the following keys to the registry:

• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun firefox.exe "%AppData%RoamingFrfxfirefox.exe"

The UI contains an option to view a list of encrypted files and also files that have been permanently deleted:

The binary contains the following list of bitcoin addresses:

125RrXD8jULtcnszHZGyiESYrpns6cSe16
12F9p9WWoLCN8rHtidqutBeVMxLUZns4ZB
12hPkgUxCJTYE71Q1dhVGcjS2G34dMGbjq
134ASGd32EBVAtJ3hyUyGMjaLi2P6sxDk1
136nTvjTVgvYzDasu1ZREaVfAry4FXMiLV
136UCwpSzGHd4fGsvKBvJCc9aJnWBWS3CJ
13aQpBtt4n62SB7ppAFMTu5eEnyNKcJxNE
13h8twBhFvZpHm6LBBzEXNiB1zv4dhR9nB
13TBNzG8CLToXZ5Rh2w6v5qZBwLHyUWh8N
14ediHbQw3239ruucgWdi3rUNGscZtJG5j
14hgTiDfpQVHfkSFDJ1RnUF2TcEwCfgd1q
14NEEhsZkKbjjMogRgQwNw6n6yhgCRHKoT
14ZEt4LeJDNXqKyUpU2fP7rL9DhrfyTEwF
153A5bbfuuMCAN1zdTsijvqAHAqtsx9i4f
15e9J8LC1wYERpR8g2nTCq2SxEeBYTGSzP
15FVgRHfKTPghYW5yvr6ZAasA3ynRLsVqB
15kjcYbpRQFqYSJPCVqKoziQEWJ872ifEr
168YhbnrimYPmvmsRszjGoe7tQ2Lf9RHTY
16mTHRfW84GcgPYu9ffw3QY7ce2nay2NYp
16PhdF7PzvQJm4JE1TgihrGXnFY6fYrbXV
16tPXK8RECtq2f7ASonXqyuvrZu3hJETMs
174KYmna8mp2uGebpcxiY1EfmMqfJ2sjLR
17aZdtgFdNcFzk8GTbGBxmqzetFFd7crJi
17C7MNabfSuB8Bv24KhduoubmHvWAT42DD
17dsK4krDgLKD88yz6RTujqAxTiJhkK5a9
17EFPvB7cREmeUQwtvJTfEFJoYJirg1mRf
17GydxtQSPiD1nYnLvJHycELA1Ag4m4iuu
17xaHhbCWBUiNDRUeNJHRrCtcDRnRhCr86
181BoTUFvjee5sTdNGcQ1x2craer5wQMij
187MmCbFFRiHXJJoKE5GxpNL3Y2LiuGywf
18p1qndKMCuLTkWsVBftDTqpCfwCzSVC8x
18UP3Kz2RGRiM8jZg5S51FLBMJvhMDHop1
18Wy3bszLBhkzai4zWvyam1gL4pRfoDfbV
18zSpqoKdz7RH7DEiRBjViLJoBMm5zFToD
196iP6DmLDX7yBtiuzp1XL2HCZpMSahv5V
196yWeJKua6se2dX8RBkWbTMXCH5aSMyY2
198ESRJa3HwrVFV3PVu8v4LaNDM1BqN2fc
19BGQoPZDcVm9XPyxWGzPDmsGvA18G5fnx
19F27CTGvxid5dseiAnsC3pkytfjRiqTDJ
19vwKs6QwheUhVKyaSNXbj77AS4BqpKeak
1ANjzQk2EDcAH1fBwjBF6EmSWCbDZHcvzT
1AQjFJkBmzpnXpAwQtZYmGVkvy7rZaHrUa
1AqWpBTxFhnoVsMSUbmpxi5qrtaiDVdgMi
1At2Benfw9xZ6vDGJu5NGzitJFZVLG6BiA
1Atg34avReaTWD5XYsQzmEvFSSnwAiu5Fc
1B7chv2YiBPV8r6dDgrq586inP5ACEBfXp
1Baf76UaYEEnK1ctinDkqWpNH1n3xyeQDp
1BLebicTdoHEReACDn61aTJhMErTSPrK7h
1BXYp9uc3QdqCfu4n68rhLVJYgcRntqRNL
1CB1vmDWqGDbF7JAQvHjG5YG4NcJHptYds
1CGPZmAJ12SgH9JrbuMiQmhoZKdW28bwYw
1CkX2PjEzpg6Vik9djrTSSET2FdggUqeXe
1CMkZrjn37T9Sp1aVNhSGTPArc3y2mKeQ7
1CPWoS5Ps8HetvYUq5SnE6CPDb4e3U5tsF
1EC5egdwnc8RmMthTkz5w3WoiPme6Zvyj4
1EkyQZbBEH473r5ipKjVuqRC6t5CWSbLrp
1EmeHBDwEU22AVhZXofT2vT6gy58fWSZ46
1EpNNZVpGXS7JQKoTg89WBRSyJ75sQF4jT
1ERmca2rgBD1vf6mFPByu3pK1T3qa9Trf8
1ETE54mux3p47RvcEoEXuV7zW7g5qRao2B
1Evwa8QTVf4FBoNmmwsEq86LFq286pbMiA
1EZvKXwq3A8qTLdDjAayo3woxDinbxfyds
1F3j6KRLMayUDZgqogo9asr2F2QCve9Z4q
1FEEARpkWZRmBc7fmLuNxSrvoAiNdzdjiw
1FkYatSXPiwhwm8hk8FaqCNZHaosn28MJ4
1Fnw9g1yRz3bEnN8TGuDa6FbrU7B54Jpix
1GLv8xL6mkwkcmT4Y7ovNdmQZbKSt5rtxr
1GNzEneufUziU3a6fvWHRwDvPXjNgK5ua5
1GokYfGJLaXmSvgcdM9a4KB4nKWCs4XUvt
1GouMaHURxVEwPZRiSTkNisnLJnve1syzM
1HKHjRMSb3SG6eZVC9VTASZ2R3RJwCYQzY
1HqaUDqhZHUgSXz2S9qEozmsRcHQeAUHQY
1HWP196S4vCQxQXpngxYtfnwq146pA91BX
1J4Zk3FDm9j9yhkLnsJxKt2fdpkgQw9BJK
1JmuF2WpVQEiuBjKXnpV9vbqRNLCbqq6S9
1JR2e1oNKo5xQFBDR7MY5w39k4ZX4i17vQ
1Jtt3oyRcaoKxyKkEqPL9WLFhTLBa5999D
1jUPnCxxGDyZHwz2pAETQduhqwdpfsKiZ
1KjkcrPW9zEofJNJtfxnFLMjmGSwmRgWuU
1KvYPRtC2FH7zutpAjS4PzVcDSGgdBLZGX
1L1hAUBhHat3vmjEpZP4vDk4qUoYN6j4Qf
1L7DiuWwNwpBoMfHwjBs9Z3pUnsqcX7Mb
1LAJTiUd5WnT4QHSoCrVJrie4a7nYAf8ko
1LLEzbc6RPT9nHqyPFfW6M2TkuYtuPUsaq
1M9WdD6AdtgTKwK7DDq4fP6Ag39JyowBvL
1MCyw1TNf9hN69Zhi4ZkungXWJXzeEdUKa
1MopVXkbxAyW9jF1y91KHsFgerA5mqeXBT
1N36M1bQB3BboyRozLy4LyBtqiCGdWSj2a
1N66JTDkneKZ6Y8pHLaA97ncq6uiuPJj2o
1N83vL7ukSkRYFd2yxcdBFgwVSnLxQcUNN
1NkrCNMXjMYaRpX7oavR5gfqRrf5mmTpQ9
1NNWZdjA7htVWsY8Wnobt2kY3CWePP3x4G
1NtkeQY5pgcmsiRSoJrAjx3hah5dSrwxii
1NVqE82oq6MAtrMasvtE49dqdesVpGGPdm
1p6fKYPm98NmcQ4ySQEMRbewGhR1T8yAt
1PDaTn2y3kfZojpwyTPYCDhwbZrwR8Pbqn
1PGuWJPxjr3jrrTwrmFq5qSNEgBmFKEEs3
1PHfjxqovXd4zEaCt7rELyUAFdKTRa4SB3
1PNezzgm41qL9JdAJqGdumsiDssemMYUGP
1xmBrLpi8uA2SVGa7ysT98itj4MuRYHcD

The UI also has a "Check Payments" button which can be used to determine if payment has been made after which files will be decrypted. It contacts btc.clockr.io which points to www.coinbase.com:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

GAV: Zapium.RSM (Trojan)