First posted on 10 November 2017.
There are no other names known for Ransom:Win32/Nobig.
This ransomware is distributed though spam emails with malicious document attachments.
When opened, the malicious document gets downloaded, runs, then it enumerates and encrypts all files your PC regardless of their type and extension.
The encrypted files are renamed with “.encrypt” extension. For example, a file named foo.exe will be renamed as foo.exe.encrypt.
Connects to a remote host
We have seen this ransomware connect to a command and control server hosted on IP Address 18.104.22.168 to register a new user by sending the time stamp, Windows version and “register” string.
This ransomware uses base64 encryption to encrypt this information before sending it.
Plain text: 1509768750|||"Microsoft Windows [Version 6.1.7601]"|||000|||register|||000
Encrypts and renames files
After the ransomware connects and registers through the C&C server, it enumerates and encrypts all files on user's machine regardless of their type and extension.
The encrypted files are renamed with “.encrypt” extension.
For example a file named foo.exe will be renamed as foo.exe.encrypt.
Drops ransom note
This threat also drops the ransomware note, a text file named “READ_ME_NOW.txt”, in every folder that contains the encrypted files.
SHA1 used in this analysis: 11cdb444bb7453b65453d584815005e228a1fe5d
Last update 10 November 2017