Considering the massive discussions about the Presidential Debate between Hillary Clinton and Donald Trump, it’s no wonder that a ransomware after Trump’s name has already come to life. Currently, there is only a Donald Trump Ransomware, however, no one knows if Clinton wouldn’t be the next ransomware to come.
To be precise, the Donald Trump Ransomware is still in a development stage and it was first compiled over a month ago, so there is a great chance that the virus will never be actively distributed.
Despite the fact that the Donald Trump ransomware contains functions for encrypt files using AES, in its current form the virus does not encrypt anything at all.
Instead of encrypting docs, the ransomware will look for files in the encrypt folder and base64 encode the file names in order to append the .ENCRYPTED extension to any files that match certain file extensions.
These are the extensions targeted by the Donald Trump Ransomware:
.zip, .mp3, .7z, .rar, .wma, .avi, .wmv, .csv, .tax, .sidn, .itl, .mdbackup, .menu, .icarus, .litemod, .sav, .lvl, .raw, .flv, .m3u, .xxx, .pak, .jpg, .png, .docx, .doc, .ppt, .odt, .csv, .jpeg, .psd, .rtf, .cfg, Minecraft, alts.json, .wolfram, .dat, .dat_mcr, .mca, .Ink, .pub, .pptx, .php, .html, .yml, .sk, .txt, .mp4, .vb, .swf, .ico, .xcf, bukkit.jar, .log, .sln, .ini, .dll, .xml, .tex, .assets, .resource, .java, .js, .css, .gif
In this ransomware version you can simply click on the Unlock button to have the files renamed to their original filenames.
No matter that currently the Donald Trump Ransomware is not actively distributed, all users should be very careful with any email attachments they receive during the election. It is a common practice of cyber criminals to send malware attachments disguised as content related to the latest news.
Files associated with the Donal Trump Ransomware:
CRPT-TRX.exe
IOCs:
SHA256: 4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4
