Malware News 'RedEye' Ransomware Destroys Files, Rewrites MBR

[silversurfer]

Content source

https://www.securityweek.com/redeye-ransomware-destroys-files-rewrites-mbr

A newly discovered piece of ransomware appears mainly created to destroy the victim’s files instead of encrypting and holding them for ransom.

Dubbed RedEye, the malware appears to be the creation of the developer behind the Annabelle ransomware, who also claims to have made the JigSaw ransomware that first emerged a couple of years back (Cisco says the individual might be responsible for several other families as well).

The same as Anabelle and JigSaw, RedEye’s destructive nature makes it stand out in the crowd. While the vast majority of ransomware families out there have been created with the purpose of generating revenue for their authors and operators, RedEye would gladly destroy users’ files even if there’s no financial gain in it.

The new threat, Bart Blaze discovered, has a large file size, at 35.0 MB. This is the result of several media files (images and audio files) being embedded in the binary. Among these, there are three .wav files (child.wav, redeye.wav, and suicide.wav) meant to play a creepy sound, intended to scare the victim.

The malware author also used ConfuserEx and compression, along with a few other tricks, to protect the binary. A second binary was also embedded in the file, capable of replacing the MBR (Master Boot Record).

Once it has infected a computer, the ransomware performs a series of actions to make removal a difficult process. The threat disables task manager and also hides the victim machine’s drives.

RedEye then displays a ransom note informing victims that their files have been encrypted using AES256 and that they should access an .onion website and pay 0.1 Bitcoins to a specified address. This would supposedly result in a decryption key being delivered to them.

The victim is required to pay the ransom in 4 days, and the malware claims to be able to “fully destroy” the computer after that period of time is over.

Options available in the ransomware include the possibility to view encrypted files and decrypt them, get support, and “destroy PC.”

If the last option is selected, a GIF is displayed in the background, with an option to proceed with the operation (a "Do it" button) and another to close the image. If “Do it” is selected, the same as when the 4-day window is over, the malware reboots the machine and replaces the MBR.

Thus, when the victim powers on the system, they are greeted with a message informing them that “RedEye terminated their computer.” The malware author signed the message with the “iCoreX” handle.

Blaze also notes that, despite claiming to have securely encrypted files with AES256, RedEye appears to actually “overwrite or fill files with 0 bytes,” thus rendering them useless. The malware also appends the .RedEye extension to the affected files.

“While it appears that the RedEye ransomware has even more tricks up its sleeve than its predecessor Annabelle, the same conclusion holds true: do not pay the ransomware. As for the actual purpose of the ransomware: it may be considered a ransomware of the wiper kind, however, it appears the author likes to showcase his or her skill,” Blaze concludes.

 

[LDogg]

What a scary sounding ransomware family!

Thanks for sharing.

~LDogg

 

[TairikuOkami]

Remove RedEye ransomware (Free Guide) - Removal Instructions

• disables Windows Task manager;
• hides computer drives;
• modifies or create new Windows registry keys;
• disables computer's security;
• turns off Windows Defender;
• modifies Image File Execution registry[2];
• makes programs unresponsive.

Any detailed info about, how it infects the computer? If it is anything like goldeneye, it is not that difficult to mitigate, since that one requires users to open email attachments containing documents executing VBS scripts/macros.

Goldeneye ransomware: the resumé that scrambles your computer twice

 

[cruelsister]

RedEye does seem to be a little cutie, bur really nothing special. I like the 3 tunes (one on initial malware run, the second on reboot-with the ransom message, and the third during the reboot MBR encryption process). It spawns an identical twin in c root (c:\Windows.exe), and will persist by a couple of reg entries (a fake Windows Update notation pointing to the malware). It also will create an autorun.inf in c root pointing to the windows.exe clone (not sure what they want to do with this), and there is also a Tempredeye.exe in appdata\local.

It's not especially nasty as it just targets stuff in Users directory, using Search Indexer to enumerate them as the malware acts directly on the targets. The MBR process will commence on the user clicking the Destroy PC thingy on the ransom message or at the end of the allotted time.

Of course CF is proof against both the encryption routine as well as the MBR screwing.

 

[upnorth]

Bitcoin Address 1JSHVxXnGDydVXVamFW9AEmk3vk8cF8Vuj