It turned out that the newly found Ransomware-as-a-Service (RaaS) portal is responsible for the distribution of a brand new ransomware family called Unlock26.
Dot-Ransomware, or the RaaS portal was first noticed on February 19, and according to security experts, the Unlock26 ransomware came out the same date. The experts also say that the ransomware operation includes a quite minimal and direct style, alongside a few instructions, simple ransom notes and a payment portal.
The hackers willing to register for the service have to download two files, one being a benign ransomware payload named core.exe, and the other being an archive containing the builder and the usage instructions called builder.zip.
The so-called builder is a minimal command-line interface via which affiliates can customize the ransom amount (they can set special decryption prices per country), the targeted file types, the type of encryption (full or first 4MB of each file), as well as the Bitcoin address where victims should send the payment.
In order to apply the custom settings to the ransomware, the affiliates should only load the core.exe file in the builder, which will generate a fully weaponized binary, ready for distribution. After that, each affiliate can spread out the malicious file using whatever means he wants.
The Unlock26 ransomware appends a .locked-[XXX] extension to the encrypted files, where XXX appear to be three random alpha-numeric characters unique for each victim. As soon as the encryption process has been completed, the malware displays a ransom note which tells victims how to access one of four Tor-to-Web proxy URLs.
According to security experts, there is a signature hidden in the links displayed by the ransom note, letting hackers distinguish between infected hosts. Nevertheless, this means that the infected PC users have to click on the links, and that typing the visible URLs manually in a browser won’t offer access to the payment portal, as the website checks for the presence of those signatures.
The researchers think that the signatures have been included to point each victim a unique Bitcoin address when accessing the portal. However, the payment website doesn’t provide clear instructions on what victims should do after that. Besides, both the payment website and the ransom note, do not inform victims on the amount they have to pay. Instead, the math function 6.e-002 BTC is listed on the payment website.
Considering all the above-mentioned and the fact that the builder features an error, the security experts suggest that both the ransomware and the RaaS operation are under development yet.