Malware News Exotic Ransomware Author Tries to be Friends with Security Researchers

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
A new ransomware appeared this past week and in the span of two days it went from version 1.0 to 3.0, as its author, a German developer known as EvilTwin, or Exotic Squad, really wanted to impress security researchers with his "work of art."

Called Exotic, this ransomware is your run-of-the-mill ransomware that locks files, shows a ransom note and asks for money to unlock your data.

According to MalwareHunterTeam, the developer that first spotted the ransomware, this is not the most advanced and well-coded piece of malware he has looked at in the past months.

Exotic isn't a threat at the time of writing. According to multiple researchers, and its author, the ransomware is still a work in progress.

Ransomware author wants to be "best buds" with security researchers
MalwareHunterTeam found Exotic 1.0 on October 12, when, as he likes to do, he started a group analysis on Twitter to share information on the new threat with other analysts. As is sometimes a custom, one of the researchers recorded a video of the ransomware in action, walking other researchers through the infection process.

To everyone's surprise, the ransomware author contacted the researcher and thanked him for the time he took to showcase his "work" and make the video, and even wanted to become friends on Skype, as these screengrabs show. This gesture took many by surprise, since malware authors usually do everything in their powers to avoid security researchers and their prying eyes, especially ransomware analysts, who many times crack encryption algorithms, ruining their operations.
Researchers found Exotic 2.0 and Exotic 3.0 during the next two days, but they both contained minimal changes. At the time of writing, there is no spam or malvertising campaign pushing this threat.

Exotic locks files and asks for only $50
As for Exotic's technical capabilities, the ransomware works by encrypting files with the AES-128 algorithm and requiring the user to pay a ransom of $50 in Bitcoin.

At the file level, the ransomware encrypts files, gives them a random name, and replaces the original extension with ".exotic".

Exotic 1.0 is easy to spot because it uses an image of Hitler for the ransom note background, probably inspired by the Hitler ransomware that appeared at the start of August. The other two versions dropped this image and used a minimal lock screen inspired by the Jigsaw ransomware. This is nothing out of the ordinary, and most ransomware works following the same pattern.

The only distinctive feature about Exotic is actually a bug that initially fooled researchers into thinking it was slowing down PCs by constantly scanning computers for newly added files. In the end, it turned out that the crook targeted a few folders for encryption more than once.

The error is quite trivial, and this shows that EvilTwin has no experience working with ransomware, which most security researchers suspected since the beginning.

Below is a video from Serbian security researcher GrujaRS showing an Exotic 3.0 infection taking root and locking down a PC.

 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for the share :)

Very original / strange behavior o_O , or not !

(I don't use Skype, but I remember that some (many)(many) years ago, it was easy to find a computer's IP from a Skype user name when he was logged in. I think protection has been added since this period)
 
Last edited:

Myriad

Level 7
Verified
Well-known
May 22, 2016
349
To my eyes , EvilTwin, or Exotic Squad doesn't appear too bright , both in his/her coding skills and tactical smarts .

Do they really believe that contact with Malware researchers will help improve the less-than-marvellous code ?
.... that they might chime-in with some tips ?

If so , then it is very naive .

I can't decide if this is a case of ego-mania , or simply lack of confidence .
Low self-esteem issues perhaps .... the " look at me " mentality ?


@Exterminator - Good article , thanks for posting it !
 
Last edited:

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Exotic much better if Extinct ransomware cause that attempt will be first and final to attempt communication with security researchers. ;)

I don't think so that will trick everything out, cause any behavior can be determine immediately from the first place as ransomware.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top