Lately, there are lots of the minor, or less heavily distributed, ransomware infections which have chosen to use pop culture references in their lock screens instead of focusing on getting paid.
The latest proof for the aforementioned is the new ransomware found by Michael Gillespie, which pays homage to the villain in the popular Harry Potter series, called Voldemort.
The Nagini ransomware was named after Voldemort’s pet snake and it is currently under development. The virus has been created only to work on a particular test system. However, what is interesting here, is that instead of asking for a ransom payment in bitcoins, the Nagini ransomware is asking for users to enter a credit card number instead.
There are a few interesting strings in the executable. For instance, the embedded PDB string shows that the developer of Nagini ransomware goes by the name Colosseum:
C:\Users\Colosseum\documents\visual studio 2013\Projects\Cryptolocker\Release\Cryptolocker.pdb
Also, as Nagini ransomware is still in development mode, it is only targeting the .doc, .docx, .ppt, .pptx, .xls, .xlsx, .bmp, .png, .jpg, .jpeg, .exe, and .pdf file extensions, as well as only files found in the C:\Users\Colosseum\Desktop\files\folder.
Besides, it became clear that Nagini ransomware looks for a file called C:\Temp\voldemort.horcrux, however, the purpose of this file is unknown yet.
Files associated with the Nagini Ransomware:
Nagini.exe
Registry entries associated with the Nagini Ransomware:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run “Voldemort” = “[path_to]\Nagini.exe”
IOCs:
SHA256: a1b0c47cc5d2ecb8ea634f436764c0b17c8ed59cc144739c77c069970642a102
