Emsisoft security researcher xXToffeeXx recently uncovered a ransomware program called RSAUtil. The analyst made a post on Twitter to report his discovery and warn computer users about the threat. The infection is distributed by launching RDP attacks. It comes together with a package of additional files.
RSAUtil ransomware has been written in Delphi. The malignant program marks the targeted objects with the .helppme@india.com.ID[8 characters] file extension. The encryption procedure finishes by disseminating a ransom note titled How_return_files.txt. The virus drops a copy of the note in every folder which contains encrypted files.
RSAUtil uses a set of tools to perform additional operations. The general objective is to prepare the targeted machine for the installation of the ransomware. A CMD file clears event logs to remove all traces of the infection patterns. This makes it difficult for analysts to determine how the virus works.
Two files from the package prevent users from activating sleep mode or hibernating. This is done to maintain connection with the hackers’ remote server. A BAT file configures various remote desktop service options. The desktop background is replaced by a custom image.
Perhaps the most important component from the package is a configuration file. This object conducts the actual encryption. The configuration file contains several directives which perform the following tasks: checking whether the device has already been encrypted, setting the ID, the email account, the name of the ransom note, the custom file extension and the public encryption key.
The executable of RSAUtil is in fact included in the package under the name svchosts.exe. When prompted, it scans the directories of the infected computer, as well as mapped network drives and unmapped network shares.
RSAUtil does not seem to have a list of target file types. Because of this, the ransomware ends up locking executable files. Most ransomware programs exclude setup files from encryption.
RSAUtil appends a custom suffix to the names of the encrypted files. The extension lists important information: an email address and a unique 8-character ID. The attackers use two email accounts to communicate with victims: helppme@india.com and hepl1112@aol.com.
The final step is to disseminate copies of the ransom note. You will find a duplicate in every folder which contains encrypted objects.
Upon completing the encryption process, RSAUtil ransomware displays a lock screen on the user’s desktop. Since the ransom note does not list payment details, the virus prompts users to contact the hackers for instructions on how to pay the ransom.
Our advice to ransomware victims is to refrain from paying the attackers. At the end of the day, an unregulated payment does not hold a guarantee. The best measure against ransomware attacks is to back up your data.