Symantec has learned of a new crypto ransomware threat (Trojan.Cryptolocker.S) that is infecting computers in Australia. The malware encrypts images, videos, documents, and more on the compromised computer and demands up to AU$1,000 (US$791) to decrypt these files. On analysis, we discovered that the theme used in this attack was styled around the now famous TV show Breaking Bad.

The malware authors cooked up their ransom demand message using the ‘Los Pollos Hermanos’ branding image found in the show. Along with this, part of the email address used in the extortion demand is based on a quote by the show’s protagonist Walter White, who declared "I am the one who knocks."



Figure 1. Trojan.Cryptolocker.S ransom demand

We believe that the crypto ransomware uses social engineering techniques as a means of infecting victims. The malware arrives through a malicious zip archive, which uses the name of a major courier firm in its file name. This zip archive contains a malicious file called ‘PENALTY.VBS’ (VBS.Downloader.Trojan) which when executed, downloads the crypto ransomware onto the victim’s computer. The threat also downloads and opens a legitimate .pdf file to trick users into thinking that the initial zip archive was not a malicious file.

Based on our initial analysis, the threat appears to be using components or similar techniques to an open-source penetration-testing project, which uses Microsoft PowerShell modules. This allows the attackers to run their own PowerShell script on the compromised computer to operate the crypto ransomware.

The malware encrypts files using a random Advanced Encryption Standard (AES) key. This key is then encrypted with an RSA public key so that victims can only decrypt their files by obtaining the private key from the attackers.

The crypto ransomware targets files with the following extensions for encryption:

.ai

.crt, .csv

.db, .doc, .docm, .docx, .dotx

.gif

.jpeg, .jpg

.lnk

.mp3, .msi

.ods, .one, .ost

.p12, .pdf, .pem, .pps, .ppsx, .ppt, .pptx, .psd, .pst, .pub

.rar, .raw, .rtf

.tif, .txt

.vsdx

.wma

.xls, .xlsm, .xlsx, .xml

.zip

The ransom demand links to a legitimate video tutorial on how to obtain Bitcoins. The attackers did this to assist victims with paying the ransom.



Figure 2. Trojan.Cryptolocker.S ransom payment page

The threat also opens another YouTube video in the background. This video is a song used in a fictional radio station in the game Grand Theft Auto V, which some fans believe is a shout-out to Breaking Bad.

Symantec continues to be on the lookout for new crypto ransomware and Symantec and Norton customers are protected against this latest threat through our Trojan.Cryptolocker.S detection. Please visit our Ransomware: How to stay safe blog for more information and timely advice on how to stay safe from the dangers of crypto ransomware.