Security home

 

Home / malwarePDF  

Ransom:Win32/Nobig


First posted on 10 November 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Nobig.

Explanation :

Installation

This ransomware is distributed though spam emails with malicious document attachments.

When opened, the malicious document gets downloaded, runs, then it enumerates and encrypts all files your PC regardless of their type and extension.

The encrypted files are renamed with “.encrypt” extension. For example, a file named foo.exe will be renamed as foo.exe.encrypt.

Payload

Connects to a remote host

We have seen this ransomware connect to a command and control server hosted on IP Address 5.8.88.237 to register a new user by sending the time stamp, Windows version and “register” string.

This ransomware uses base64 encryption to encrypt this information before sending it.

For example:

Plain text: 1509768750|||"Microsoft Windows [Version 6.1.7601]"|||000|||register|||000

Encrypted: MTUwOTc2ODc1MHx8fCJNaWNyb3NvZnQgV2luZG93cyBbVmVyc2lvbiA2LjEuNzYwMV0ifHx8MDAwfHx8cmVnaXN0ZXJ8fHwwMDA=




Encrypts and renames files

After the ransomware connects and registers through the C&C server, it enumerates and encrypts all files on user's machine regardless of their type and extension.

The encrypted files are renamed with “.encrypt” extension.

For example a file named foo.exe will be renamed as foo.exe.encrypt.




Drops ransom note

This threat also drops the ransomware note, a text file named “READ_ME_NOW.txt”, in every folder that contains the encrypted files.







SHA1 used in this analysis: 11cdb444bb7453b65453d584815005e228a1fe5d

Last update 10 November 2017

 

TOP

Malware :