Smrss32 was only discovered last week. The source file for this ransomware was determined to be smrss32.exe. Since the virus does not have a name, researchers named it after its executable.
The ransom note of Smrss32 introduces the virus as “CryptoWall Software”. However, security expert Michael Gillespie was able to see through this misinformation. He had the following to say: “Among the large wall of text, it does try to call itself “CryptoWall Software”, but it is in no way nearly as sophisticated as the real thing. I do not recommend paying the ransom at this time.”
Mr. Gillespie was one of the first researchers to detect Smrss32. The specialists who examined the program concluded that it was created by an inexperienced hacker. The large number of targeted file extensions revealed that he lacked knowledge on several aspects.
MalwareHunterTeam were among the researchers who took notice of Smrss32 because of its large target list. According to their analysis, the developer would have had it “a lot easier to whitelist what not to encrypt than using this approach.”
They also pointed out that the hacker lacked some basic knowledge on coding. Most file extensions on the list were duplicated to include both their capital and lower case forms. This was unnecessary, as a coding technique called case sensitive comparing would have made the list easier to compile.
Smrss32 is still a successful attempt at creating a functional ransomware program. It omits the system folders to prevent damaging core files. Doing so would make the OS inoperable. The virus exempts folders whose names contain the following key terms: Windows, Program Files, Program Files (x86), Temp, AppData, Application Data, Program Data, System Volume Information, Boot, Games, Sample Music, Sample Pictures, cache, tmp, winnt, and thumbs.db.
The researchers of MalwareHunterTeam have uncovered a distribution vector the attackers make use of. The assumption is that the hackers penetrate systems through unsecured RDP connections. This makes it possible to manually install the ransomware on targeted devices.
This propagation method has been monitored with other ransomware infections, such as Apocalypse, Bucbi, and Shade (Troldesh version).
The malicious program conducts typical tasks. It locks files using the AES encryption algorithm. Since Smrss32 poses as CryptoWall, it appends the .encrypted suffix to the targeted files. This appendix is used by both CryptoWall and Apocalypse.
Smrss32 creates a ransom note in the form of an image. The virus drops a copy of the note on the desktop and in every folder where encrypted files are located. When it completes the encryption, the ransomware deletes the folder it created to install itself.
Over a short time period, Smrss32 has had a measure of success. To date, at least 15 people have paid the ransom. The rogue program demands a payment of 1 bitcoin (~$570) to unlock the encrypted files.
The flaws of the creator of Smrss32 have allowed researchers to start unraveling the program. Michael Gillespie is already working on a decrypter for the ransomware. Other investigators have uncovered a possible source for the RDP attacks which may lead them to the hacker’s location.