Home / malware Ransom:Win32/Nobig
First posted on 10 November 2017.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Nobig.
Explanation :
Installation
This ransomware is distributed though spam emails with malicious document attachments.
When opened, the malicious document gets downloaded, runs, then it enumerates and encrypts all files your PC regardless of their type and extension.
The encrypted files are renamed with “.encrypt” extension. For example, a file named foo.exe will be renamed as foo.exe.encrypt.
Payload
Connects to a remote host
We have seen this ransomware connect to a command and control server hosted on IP Address 5.8.88.237 to register a new user by sending the time stamp, Windows version and “register” string.
This ransomware uses base64 encryption to encrypt this information before sending it.
For example:
Plain text: 1509768750|||"Microsoft Windows [Version 6.1.7601]"|||000|||register|||000
Encrypted: MTUwOTc2ODc1MHx8fCJNaWNyb3NvZnQgV2luZG93cyBbVmVyc2lvbiA2LjEuNzYwMV0ifHx8MDAwfHx8cmVnaXN0ZXJ8fHwwMDA=
Encrypts and renames files
After the ransomware connects and registers through the C&C server, it enumerates and encrypts all files on user's machine regardless of their type and extension.
The encrypted files are renamed with “.encrypt” extension.
For example a file named foo.exe will be renamed as foo.exe.encrypt.
Drops ransom note
This threat also drops the ransomware note, a text file named “READ_ME_NOW.txt”, in every folder that contains the encrypted files.
SHA1 used in this analysis: 11cdb444bb7453b65453d584815005e228a1fe5dLast update 10 November 2017
