Security researchers have just found a new ransomware strain which goes to great lengths to provide users with all the details needed in paying the ransom.
The culprit is called Rokku, and you’ll understand immediately if you have been infected with this ransomware due to the fact that it will encrypt all your files and append the “.rokku” extension on each of them.
Rokku is distributed via spam email which comes attached with all sorts of files laced with malware. If downloaded and executed, these emails will start the Rokku ransomware’s encryption process, which uses a hard-to-break RSA-512 crypto algorithm.
Considering the fact that Rokku ransomware demands 0.242 Bitcoin and the experts have managed to crack RSA-512 keys on Amazon EC in seven hours for a cost of $107 in computational power, you may not pay the ransom at all.
When compared to other ransomware strains, crypto appears to be a weak point in its mode of operation, however, the rest of the ransomware seems to be the work of an experienced malware creator.
First, Rokku deletes the shadow volume copies from your hard drive, so the backup software won’t be able to recover non-encrypted versions of your files. In case you have backups stored offline, then you can restore them from that source. Though, if you have no shadow volume copies, recovering them from the same hard drive is technically impossible.
When the encryption process is completed, Rokku drops its ransom notes, which are a text and an HTML file. The HTML ransom note offers a Google Translate widget so that users can translate the ransom note into their own language.
Unlike the ransom note, which is quite barren and simply redirects users to a Tor-based website, the website itself is much richer in detail. Here, users can unlock a file for free to test the operational state of the author’s decryption process, which does not always automatically work for all ransomware families.
In addition, the website lays out simple and includes helpful instructions through which the victim must go in order to pay the ransom. Though, the most intriguing fact about Rokku, is that his creator has taken extraordinary steps to make paying the ransom as easy as possible and has even included a QR code with his Bitcoin address.
When you scan the QR code with your phone, this would let you easily pay the ransom money if you have a Bitcoin wallet application installed on your device.
By now, no payments have been received in the Rokku Bitcoin account, but the ransomware is newly-found and it may not managed to infect a large number of victims yet.
