Researchers have come across a new strain of ransomware, named R980, the creators of which have chosen to use the Mailinator disposable emails service to communicate with their victims.
According to Trend Micro researchers, the R980`s authors are using spam emails to distribute their ransomware. The messages contain Office files that, when opened, ask the victim to enable macro support. Once the macros are enabled the R980 is installed.
It is not a surprise that each different piece of ransomware has that particular feature (sometimes more than one) which helps it stand out and be memorable among the numerous new malware versions which are being detected on daily bases.
For instance, the quirk of the Smrss32 ransomware, which was uncovered last week, is its craze to search and target the huge amount of 6,674 different file extensions.
R980 has a quirk of its own and it is also an odd one. While almost every piece of ransomware acts pretty much the same way when it comes to communication and terms of payment, R980`s developers had a different idea. The majority of ransomware infections either provide a link to a Tor-based website, where the victims can make the payment and obtain the decrypter, or they provide an email address via which the victims can get in touch with the creators and negotiate the ransom sum.
The R980`s authors, however, have chosen to rely on a one-of-a-kind Bitcoin wallet address which is different and unique for each user. The address is listed in the ransom note together with instructions how the users should make the payment. The victims are informed that once they have paid up, the ransomware authors would automatically detect their payment and sent a decrypter to a disposable email address they have created via the Mailinator service.
Nonetheless, the Mailinator is very well known for its feature to automatically delete all email messages after a couple of hours. That’s why all users should be very careful and if they have paid the ransom demanded, they should check their inbox as soon as possible to see if they have received the decrypter. Otherwise, it may end up deleted and the victims may lose all their encrypted data.
Unfortunately, security researchers say that the chances of creating a free decrypter for R980 are quite slim because of the dual encryption system it uses. It is based on both RSA 4096 and AES-256 algorithms which make the R980 ransomware even more difficult to crack.
