RensenWare Will Only Decrypt Files if Victim Scores .2 Billion in TH12 Game

Discussion in 'News Archive' started by Solarquest, Apr 6, 2017.

  1. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    A new ransomware called RensenWare was discovered today by MalwareHunterTeam that makes a unique ransom demand; score over 0.2 billion in the LUNATIC level of TH12 ~ Undefined Fantastic Object or kiss your files goodbye! While I do not think this ransomware was ever meant to be distributed, it shows what a creative developer can do to torment their victims.

    Update 4/6/17 4:05 PM: As predicted, this ransomware appears to be a joke. According to a tweet by Shinjo Park, the ransomware developer infected himself.

    How RensenWare Encrypts a Computer
    When MalwareHunterTeam gave me the sample, it kept crashing when testing it. This was because it was using the GetLogicalDrives function, which would list all the drives on the computer, even if they are not fixed disks. This, and a lack of proper error handling, meant it would crash every time it tried to encrypt something on my CD drive. To get it to run, I had to modify the code so that it would only target the C: drive on my test box.

    Once I was able to get it to run, RensenWare would scan a computer for certain file types and encrypt them using AES-256 encryption. When it encrypted a file it would append the .RENSENWARE extension to it. This means a file named test.jpg would be encrypted as test.jpg.RENSENWARE.


    As the developer is not looking to generate revenue from this ransomware, this program was most likely created as a joke. Regardless of the reasons, it illustrates another new and innovative way that a ransomware can be developed.


    VT was 12/61
    Antivirus scan for 7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a at 2017-04-06 14:01:56 UTC - VirusTotal
    _CyberGhosT_, frogboy and WinXPert like this.
  2. _CyberGhosT_

    _CyberGhosT_ Level 52

    Aug 2, 2015
    Central US
    Linux Mint
    Cool share Solar, that made me laugh.
    Solarquest likes this.
Similar Threads Forum Date
desuCrypt Ransomware in the Wild with DEUSCRYPT and Decryptable Insane Variants Security News Yesterday at 10:57 PM
Need Help How do I decrypt a encrypted video file? Apps - Questions & Help Dec 29, 2017
Hacking Alert The Week in Ransomware - December 1st 2017 - Decryptors, BTCWare, and More Security News Dec 3, 2017