Xorist Ransomware Created From Free Construction Kit

The Sonicwall Capture Labs Threats Research team have been recently tracking malware deriving from Ransomware construction kits. Xorist, is one such ransomware where a kit is provided and an attacker can configure various features such as message text, file extension of encrypted files, encryption algorithm, unlock password etc.  The attackers charge 0.8 BTC (around $4953 USD at the time of writing) for file recovery.

Infection Cycle:

Upon infection, the Trojan encrypts files on the system and appends the following file extension to their filenames:

• PAY_IN_MAXIM_24_HOURS_OR_ALL_YOUR_FILES_WILL_BE_PERMANENTLY_DELETED_PLEASE_BE_REZONABLE _you_have_only_1_single_chance_YOU_NEED_TO_PURCHASE_THE_DECRYPTOR_FROM_US_FAST_AND_URGENT

It places the following file in every directory containing encrypted files:

• HOW TO DECRYPT FILES.txt

HOW TO DECRYPT FILES.txt contains the following message:

We were able to obtain a copy of the construction kit.  Ironically we also obtained a copy that was infected with the very same ransomware.  The user interface contains various customization options:

Configuration options include:

• • File extensions to target for encryption
  • File extension text to append to encrypted files
  • Decryption password
  • Wallpaper to show on desktop background
  • Icon for the malware executable file
  • Autorun at startup
  • Encryption algorithm to use (XOR/TEA)
  • Ransom note text
  • File recovery password attempts
  • UPX file packing

The bitcoin address (3KxEZKjS4ifAHhX2o1fq9tERkAshSgA4hg) appears to have collected some funds from prior victims:

We reached out to repair_data@scryptmail.com and received the following reply.   Although 0.8 BTC is stated in the ransom note, the file recovery fee appears to be negotiable.  The deadline however, is tight:

Sonicwall Capture Labs provides protection against this threat via the following signatures:

• GAV: Xorist.RSM_3 (Trojan)
• GAV: Xorist.RSM_4 (Trojan)
• GAV: Xorist.EJ_4 (Trojan)