RensenWare Will Only Decrypt Files if Victim Scores .2 Billion in TH12 Game

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Solarquest

Moderator
Staff member
AV-Tester
Jul 22, 2014
1,925
15,555
#1
A new ransomware called RensenWare was discovered today by MalwareHunterTeam that makes a unique ransom demand; score over 0.2 billion in the LUNATIC level of TH12 ~ Undefined Fantastic Object or kiss your files goodbye! While I do not think this ransomware was ever meant to be distributed, it shows what a creative developer can do to torment their victims.

Update 4/6/17 4:05 PM: As predicted, this ransomware appears to be a joke. According to a tweet by Shinjo Park, the ransomware developer infected himself.

How RensenWare Encrypts a Computer
When MalwareHunterTeam gave me the sample, it kept crashing when testing it. This was because it was using the GetLogicalDrives function, which would list all the drives on the computer, even if they are not fixed disks. This, and a lack of proper error handling, meant it would crash every time it tried to encrypt something on my CD drive. To get it to run, I had to modify the code so that it would only target the C: drive on my test box.

Once I was able to get it to run, RensenWare would scan a computer for certain file types and encrypt them using AES-256 encryption. When it encrypted a file it would append the .RENSENWARE extension to it. This means a file named test.jpg would be encrypted as test.jpg.RENSENWARE.


....

As the developer is not looking to generate revenue from this ransomware, this program was most likely created as a joke. Regardless of the reasons, it illustrates another new and innovative way that a ransomware can be developed.

....


VT was 12/61
Antivirus scan for 7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a at 2017-04-06 14:01:56 UTC - VirusTotal