The Emsisoft security researcher, xXToffeeXx, has recently stumbled across a new version of the DetoxCrypto Ransomware. Dubbed, Nullbyte Ransomware, it pretends to be the wildly popular among all users Pokemon Go app – NecroBot.
When the Nullbyte Ransomware encrypts its victims` data it demands 1Bitcoin ransom for the decryption key. Luckily for us all, Michael Gillespie managed to create a free decryption tool to help all Nullbyte victims recover their data without being extorted.
This ransomware is distributed via the Github project that pretends to be a rebuilt version of the NecroBot app, hoping it would trick users into believing this is the legitimate application.
When downloaded and launched, the phony app would display the usual NecroBot interface where users log in, to lower suspicion even more. When a user enters their login information and press the “Login” button, it will look like the app is trying to login to the NecroBot serves. However, what it would actually do is stealing the victim`s login credentials and uploading them to its C&C server. Once this process has finished it would move on to the data encryption process. Then, when all files are locked, a ransom note would be displayed, asking users to pay 1 Bitcoin to decrypt their data.
The researcher MalwareHunterTeam explains that the Nullbyte Ransomware uses AES encryption in the data locking process. It also appends the “_nullbyte” extension to all encrypted files. For instance, a file called “test.jpg”, when encrypted, it would be named “test.jpg_nullbyte”.
When encrypting files, the Nullbyte ransomware will target any file located in the following folders:
%USERPROFILE%: \Documents, \Downloads, \Favorites, \Music, \Pictures, \Videos, \Contacts and \Desktop.
Moreover, during the encryption process, the ransomware stops chrome, cmd, taskmgr, firefox, iexplore, and opera processes to make it harder for the victim to remove the threat or search for help online.
Finally, the Nullbyte ransomware would make a screenshot of the currently active Windows screens and send them to its C&C as well. For now, it is not clear why the ransomware crooks need these screenshots, but experts assume they might use them for blackmailing or information theft.