A new ransomware called RensenWare was discovered today by MalwareHunterTeam that makes a unique ransom demand; score over 0.2 billion in the LUNATIC level of TH12 ~ Undefined Fantastic Object or kiss your files goodbye! While I do not think this ransomware was ever meant to be distributed, it shows what a creative developer can do to torment their victims.

Update 4/6/17 4:05 PM: As predicted, this ransomware appears to be a joke. According to a tweet by Shinjo Park‏, the ransomware developer infected himself.

Update 4/7/17: The RensenWare developer reached out to BleepingComputer and MalwareHunterTeam to tell us that the program was meant to be a joke. They also released a tool that would force TH12 to get the score needed to decrypt the files.

How RensenWare Encrypts a Computer

When MalwareHunterTeam gave me the sample, it kept crashing when testing it. This was because it was using the GetLogicalDrives function, which would list all the drives on the computer, even if they are not fixed disks. This, and a lack of proper error handling, meant it would crash every time it tried to encrypt something on my CD drive. To get it to run, I had to modify the code so that it would only target the C: drive on my test box.

Once I was able to get it to run, RensenWare would scan a computer for certain file types and encrypt them using AES-256 encryption. When it encrypted a file it would append the .RENSENWARE extension to it. This means a file named test.jpg would be encrypted as test.jpg.RENSENWARE.

RensenWare Encrypted Files

The list of file extensions targeted by RensenWare are:

.jpg, .txt, .png, .pdf, .hwp, .psd, .cs, .c, .cpp, .vb, .bas, .frm, .mp3, .wav, .flac, .gif, .doc, .xls, .xlsx, .docx, .ppt, .pptx, .js, .avi, .mp4, .mkv, .zip, .rar, .alz, .egg, .7z, .raw

Furthermore, while encrypting files, it did not try to delete shadow volumes or create any other methods to prevent a victim from restoring their files. This further makes me think this ransomware was created as a joke or to torment a particular group of people.

Would you like to play a game?

When RensenWare finishes encrypting a computer, it will display a ransom note featuring Captain Minamitsu Murasa from the Touhou Project series of shooting games made by Team Shanghai Alice. This screen tells the victim that their files have been encrypted and that they must score over .2 billion in the Lunatic level of a Touhou Project game called TH12 ~ Undefined Fantastic Object. If they do not reach that score or close the ransomware, their files will be lost forever.

RensenWare Lock Screen

The text of the RensenWare ransom note is:

Minamitsu "The Captain" Murasa encrypted your precious data like documents, musics, pictures, and some kinda project files. it can't be recovered without this application because they are encrypted with highly strong encryption algorithm, using random key. That's easy. You just play TH12 ~ Undefined Fantastic Object and score over 0.2 billion in LUNATIC level. this application will detect TH12 process and score automatically. DO NOT TRY CHEATING OR TEMRMINATE THIS APPLICATION IF YOU DON'T WANT TO BLOW UP THE ENCRYPTION KEY!

Unfortunately, this is not an idle threat from the developer, as ResenWare does not save the decryption key unless you beat this score and if you shut the process down, the key is lost forever.

TH12: Undefined Fantastic Object Lunatic Level

In order to monitor the score, the ransomware will look for a process called "th12", and if detected, will read the processes memory to determine the current score and level of the game. If they are in the Lunatic level and the victim has scored over .2 billion points, the ransomware will save the key to the Desktop and initiate the decryption process.

Checking Score of TH12

As the developer is not looking to generate revenue from this ransomware, this program was most likely created as a joke. Regardless of the reasons, it illustrates another new and innovative way that a ransomware can be developed.



Files associated with RensenWare:

rensenWare.exe

Hash:

SHA256: 7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a

Lock Screen Text: