Researchers at Palo Alto Networks have discovered a ransomware infection with an unusual agenda. The virus operates in the Middle East for the purpose of propagating political views. The malware experts made a report about the unnamed program which they dubbed RanRan ransomware.
The discovery is credited to Unit 42 at Palo Alto Networks. “Recently, Unit 42 has observed attacks against multiple Middle Eastern government organizations using a previously unseen ransomware family. Based on embedded strings within the malware, we have named this malware ‘RanRan’.”
RanRan has the ability to encrypt different kinds of files, including documents, logs, images, audios, videos, archives, databases, executables, and source codes. The virus adds the .zXz appendix to the names of the infected objects.
A ransom note in HTML format is produced to inform the victim of the ransomware’s actions. The targeted organization has to meet the demands of the attackers in order to have its data restored.
The developers of RanRan ransomware have a different agenda from the usual. The ransom is not monetary. Rather, the victims are required to support a political agenda by publishing a statement to their website.
The hackers warn victims not to shut down their devices or run an anti-virus program because this could result in an “accidental damage on files”.
The targeted organizations are instructed to create a subdomain with a political title on their official website. RanRan provides a file named Ransomware.txt which is to be uploaded to the subdomain. It contains the statement “Hacked!” and lists the email address of the program’s creators.
“The ransom note specifically attempts to extort a political statement by forcing the victims to create a public sub-domain with a name that would appear to advocate and incite violence against a Middle Eastern political leader,” explain the analysts.
“The malware itself is fairly rudimentary and makes a number of mistakes in how files are encrypted. This allowed Unit 42 to create a script that is able to decrypt some files that were encrypted by RanRan.”
The experts at Palo Alto Networks concluded that the objective is to force government institutions to publish a political statement on their website and announce that they have been hacked.
The names of the affected organizations were not mentioned. The Unit 42 team has not revealed who the perpetrators behind the attacks are. Whether or not the hackers have been identified is unknown.
The researchers had the following to say regarding the attacks: “By performing these actions, the victim, a Middle Eastern government organization, has to generate a political statement against the leader of the country. It also forces the victim to publicly announce that they have been hacked by hosting the Ransomware.txt file.”
The analysis on RanRan ransomware revealed that the program had a simple code scheme and some mistakes which made it easy to crack. The software appeared to have been made using a publicly available source code.
The experts addressed the program’s code in the report. “RanRan makes a number of mistakes when encryption occurs. For one, they use a symmetric cipher (RC4) with a re-used key. Additionally, some files are encrypted, but the originals are not deleted. This is due to a number of reasons, one of which being that encryption is attempted against system files and other files that are opened by running processes.”
The errors in the encryption process make it possible for some files to be unlocked. “Because we are provided with a situation where we have an original file, a file that has been encrypted, and the RC4 key is re-used against other encrypted files, we have the ability to decrypt some of this data,” the experts explained.
“This only works in certain instances where the following criteria is met:
- An encrypted and unencrypted file must be present for a given file size group (0-5MB, 5-30MB, etc). Using these two files, we are able to acquire the RC4 stream cipher.
- The remaining encrypted files must be of lesser size than the previously obtained stream cipher. If a file is of greater size, it is only able to be partially decrypted.”