Pokemon Ransomware

September 14, 2016

So the major credit is first to be given to MalwareHunterTeam who initially found this and also analysed it. I will be giving a few more insights that I found interesting in relation to this piece of ransomware. It looks like it was first discovered on the 19th of August and doesn’t look to be very advanced. The sample is obfuscated using Dotfuscator Evaluation which is advertised well in the sample. It is incidentally illegal for them to use it on software on general release, but I’m sure they don’t care about that. This is pretty trivially deobfuscated thanks to de4dot.

aIt starts a background worker ready to generate it’s key and start encrypting files. From what I see it generates the intilisation vector on the client using RNGCryptoServiceProvider length is set as 16 for cryptographic convention on IV’s to do with the later algorithm. The IV is sent as the parameter ‘public key’ which is confusing because we will be using symmetric cryptography, not public key. The request is sent to a statically set host which is downloadfiles.comuf.com , you may have seen comuf.com and think why they have done this. For all of you who don’t know, comuf.com is a 000webhost domain for free hosting. That’s right, this ransomware is not only not using DGA or multiple hosts but is using a free one.

bIt also sends with a statically set in the sample user agent, I’m thinking it’s used as a protection system for people sending random requests. Although a client can obviously change their user agent at any time. Sent as a POST, it checks if the request comes back with a status code code of OK (200). And seperates the request body with linefeeds, from the analysis I have done the array[0] turns out to be the key when encrypting files later on.

cThe ransomware then goes through disks and filters to remove CDROM, NoRootDirectory and Unknown Drives (Ref) it then moves on to finding the files, it will use like most ransomware a list of extensions which are mostly picture, database, archive, office extensions to encrypt for speed. It will not encrypt files in the C:\\Windows folder. It also checks if it contains “bg” in it’s name, if it does it will not encrypt. This is so they don’t encrypt the wallpaper they will use which is called bg.jpg

dAfter encrypting through every file it sees fit it will send a request to complete.php with some basic information such as the IV , name of the machine, operating system, processor, what drives were found and sizes. It also saves the IV on the machine which is saved in the Downloads/Pokemon folder. If we understood the variant of ransomware and the host was up decrypting files would be very easy. I think the author is confusing how public key crypto works, the key is still derived from the intial request and so attempting to use the IV and key in a public key crypto way is not a great idea.

eLastly it will set the Desktop background to bg.jpg and start Pokemon.exe it also has Pokemon music in it’s resources and is played when executed. This piece of ransomware was interestingly targeted towards Pokemon users obviously trying to get on something that is current and popular for people to download and execute. The actual malware itself was bad in many ways which is good from a defense perspective, the attacker does not seem to be sophisticated. The worrying thing about this is that you do not have to be too sophisticated in coding or hacking to produce something that may make small businesses or individuals pay up.