Psychological manipulation is heavily used in cyber attacks, especially in phishing and ransomware compromise attempts.

As with all online scams, the attackers’ main objective is simple: to make as much money and steal as much data as possible. So, in their malicious pursuit, they’ll come up with new tactics to force their victims into complying with their conditions. Encrypting ransomware, such as CryptoWall or TeslaCrypt, is proof.

So when a new ransomware strain started to circulate a few days ago, it attracted attention.

Source: CERT-RO’s Facebook page

New ransomware strains are created constantly, so that’s nothing new, but the ransom note in this particular type was quite surprising. It promises to donate the ransom money to charity.

Here’s what the ransom note says, after encrypting all the data on the infected PC:

Dear User, to decrypt your files You will need a special software with your special unique private key. Price of software and your private key is 5 bitcoins. With this product you can decrypt all your files and protect Your system!!! Protect!!! Your system will be without any vulnerability. Also You will have a FREE tech support for solving any PC troubles for 3 years! You can buy bitcoins through this bitcoin web site https://localbitcoins.com/ Register there and find a nearest Bitcoin seller. It`s easy! Choose more comfortable payment method for buying Bitcoin! After that You should send 5 bitcoins to the bitcoin wallet address:

1KWJ3rEvKs6z3suztfKv3zKAcqzQa3VVPh All this process is very easy! It`s like a simple money transfer. And now most important information: Your money will be spent for the children charity. So that is mean that You will get a participation in this process too. Many children will receive presents and medical help! And We trust that you are kind and honest person! Thank You very much! We wish You all the best! Your name will be in the main donors list and will stay in the charity history! P.S> When your payment will be delivered you will receive your software with private key IMMEDIATELY! P.P.S> In the next 24 hours your price will be doubled by the Main Server automatically. So now you have a chance to restore your PC with low price! Best regards, Charity Team

So it wasn’t enough that they kidnapped the data and set a time limit for the payment, after which the ransom would double, but they had to play the charity card as well?

This line is particularly flabbergasting: “We trust that you are kind and honest person”, given that the victim has no other alternative if he/she doesn’t have a data backup to counteract the attack.

And the ransom is quite hefty as well: 5 bitcoins averages to $2200 at the current price per bitcoin. That is quite expensive!

But don’t think that the ransomware’s code is a joke, because the threat is as serious as can be. This new strain, which currently lacks an identifying name, reuses large parts of open-source malware code. For example, this ransomware is a CryptoWall 4 variant and it also includes CryptXXX components.

If you think that you can use the CryptXXX decryption tool on this one, know that the malicious actors behind this strain have fixed the implementation errors which made the decryption tool created by Kaspersky to work.

This new strain is delivered the usual method, through spam emails and drive-by attacks, which have become the norm in ransomware attacks.

The instructions about the payment mention two email addresses: xoomx[@]dr.com and xoomx[@]usa.com in the files dropped on the victim’s system after the encryption is finished.

HELP_YOUR_FILES.html: CryptXXX

HELP_YOUR_FILES.txt: Cryptowall 4.0

The list of file types that this ransomware can encrypt is quite long and it seems that attackers haven’t left anything out:

0.0, 0.1, 1st Arrondissement, .2bp, .3dm, .3ds, .3fr, .3g2, .3gp, .4db, .73i, .7z, .9png, .a3d, .abm, .abs, .abw , .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .act, .adn, .adp, .af3, .aft, .afx, AGIF, .agp, ai,. ACI, .aif, .aim, .albm, .alf, .ani, .ans, .apd, .apm, .apng, .aps, .apt, .apx, .ar, .arc, .art, .artwork, .arw, .as, .asc, .ascii, .ase, .asf, .ask, .asm, .asp, .asw, .asx, .asy, .at, .aty, .avatar, .awdb, .awp , .awt, .aww, .azz, .ba, .backup, .Bad, .bak, .bay, .bbs, .bdb, .bdp, .bdr, .bean, .bib, .bik, .blend,. blkrt, .bm2, .bmp, .bmx, .bmz, .bna, .bnd, .boc, .bok, .brk, .brn, .brt, .bss, .btd, .bti, .btr, .byu, .bz, .bza, .bzabw, .c, .c4, .c4d, .cal, .cals, .can, .cd5, .cdb, .cdc, .cdg, .cdmm, .cdmt, .cdmtz, .cdmz , .cdr, .cdr3, .cdr4, .cdr6, .cdrw, .cdt, .CF, .cfg, .cfu, .cgm, .chart, .chord, .cin, .cit, .ckp, .class,. clkw, .cma, .cmx, .cnm, .cnv, .cp, .cpc, .cpd, .cpg, .cpp, .cps, .cpt, .cpx, .cr2, .crd, .crwl, .cs, .css, .csv, .csy, .ct, .cv5, .cvg, .cvi, .csv, .cvx, .cwt, .cxf, .cyi, .daconnections, .dacpac, .dad, .dadiagrams, .daf , .daschema, .dat, .db, .db-shm, .db2, .db3, .dbc, .dbf, .dbk, .dbs, .dbt, .dbv, .dbx, .dc2, .dca, .dcb , .dcs, .dct, .dcx, .dd, .ddl, .ddoc, .dds, .ded, .Design, .dgc, .dgn, .dgs, .dgt, .dhs, .dib, .dicom,. diz, .djv, .djvu, .dm3, .dmo, .dmp, .dnc, .dne, .doc, .docm, .docx, .docxml, .docz, .dot, .dotm, .dotx, .dpp, .dpx, .drw, .drz, .dsk, .dsn, .dsv, .dt, .dt2, .dta, .dts, .dtsx, .dtw, .dv, .dvi, .dwg, .dx, .dxb , .dxf, .ecw, .ecx, EDB, .efd, .egc, .eio, .eip, .eit, .email, .emd, .emf, .emlx, .EP, .epf, .epp,. eps, .epsf, .eql, .erf, err, .etf, .euc, .exr, .f, .fadein, .fal, .faq, .fax, .fb2, .fb3, .fbl, .fbx, .fcd, .fcf, .fdb, .fdf, .fdr, .fds, .fdt, .fdx, .fdxt, .fes, .fh3, .fh4, .fh5, .fh6, .fh7, .fh8, .fi , .fic, .fid, .fif, .fig, .fil, .flac, .fli, .fodt, .fol, .Fountain, .fp3, .fp4, .fp5, .fp7, .fpt, .fpx,. FT7, .ft8, .ft9, .ftn, .fwdn, .fzb, .fzv, .g3, .gcdp, .gdb, .gdoc, .gdraw, .save, .geo, .gfb, .gfie, .ggr, .gho, .gif, .gim, .gio, .gl, .glox, .gmbck, .gmspr, .gpd, .gpn, .gro, .grs, .gsd, .gthr, .gtp, .gv, .gwi , .gz, .h, .hbk, .hdb, .hdp, .hdr, .hht, .his, .hpg, .hpgl, .hpi, .hpl, .HPP, .hs, .htm, .html. HWP, .hz, .i3d, .ib, .icn, .icon, .icpr, .idc, .idea, .igt, .igx, .ihx, .iiq, .imd, .indd, .info, .ink, .int, .ipx, .it, .itc2, .itdb, Important note, .iwi, .j, .j2c, .j2k, .jas, .java, .jb2, .jbig, .jbig2, .jbmp, .jbr , .jis, .jng, .joe, .jp2, .jpe, .jpeg, .jpg, .jpg2, .jps, .jpx, .js, .jtx, .jxr, .kdb, .kdc, .kdi,. KDK, .key, .kic, .knt, .kon, .kpg, .kwd, .latex, .lay, .layout, .lbm, .lbt, .lgc, .lit, .ljp, .log, .ltr, .ltx, .lue, .lws, .Listen, .lyx, .m3d, .m3u, .m4v, .ma, .mac, .maf, .man, .map, .maq, .mat, .max, .mb , .mbm, .mbox, .md5, .mdb, .mdf, .mdn, .mdt, .me, .mft, .mgcb, .mgmx, .mgt, .min, .mkv, .mmat, .mng,. mnt, .mob, .mobi, .mos, .mov, .movie, .mp3, .mp4, .mpf, .mpg, .mrg, .mrxs, .msg, .mt9, .mud, .mwb, .mwp, .mxl, .myd, .myl, .ncr, .nct, .ndf, .nfo, .njx, .nlm, .notes, .now, .nrw, .ns2, .ns3, .ns4, .nwctxt, .nyf , .nzb, .obj, .oc3, .oc4, .oc5, .oce, .ocr, .odb, .odo, .ods, .odt, .of, .oft, .openbsd, .oplc, .oqy,. ora, .orf, .ort, .orx, .ota, .otg, .oti, .ott, .ovp, .ow, .owc, .owg, .oyx, .oz, .ozb, .ozj, .p7s, .p96, .p97, .pages, .pal, .pano, .pap, .pas, .pbm, .pc3, .pcd, .pcs, .pct, .pcx, .pdb, .pdd, .pdf, .pdm , .pdn, .pe4, .pf, .pfd, .pff, .pfs, .pfx .pgf, .pgm, .phm, .php, .pi3, .pic, .pict, .pix, .pjpeg,. pjpg, .pjt, .pl, .plantuml, .plt, .pm, .pmg, .png, .pni, .pnm, .pntg, .pnz, .pobj, .pop, .pp4, .pp5, .ppm, .pps, .ppt, .pptm, .pptx, .prw, .ps, .psd, .psdx, .pse, .psid, .psp, .pspbrush, .psw, .PtG, .pth, .ptx, .pu , .puz, .pvj, .pvm, .pvr, .pwa, .pwi, .pwr, .px, .pxr, .py, .pz3, .pza, .pzp, .pzs, .qdl, .qmg,. qpx, .qvd, .r3d, .ra, .rad, .rar, .ras, .raw, .rb, .rctd, .rcu, .rdb, .rdl, .readme, .rgb, .rib, .ris, .RL, .rle, .rli, .rm, .rp, .rpd, .rpt, .RS, .rsb, .rsd, .rsr, .rst, .rt, .rtd, .rtf, .run, .rw2 , .rwl, .rzk, .rzn, .s2mv, .s3m, .saf, .safetext, .sai, .Sam, .SAV, .save, .sbf, .scad, .scc, .sci, .scm,. scriv, .scrivx, .sct, .scv, .scw, .sdb, .sdf, .sdm, .sdoc, .sdw, .sep, .sfc, .sfera, .sfw, .sgm, .SIG, .sk2, .skcard, .SKM, .sla, .slagz, .sld, .sldasm, .slddrt, .sldprt, .sls, .smf, .smi, .smil, .sms, .snagitstamps, .snagstyles, .sob, .spa , .spe, .sph, .spj, .spp, .spq, .spr, .sqb, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srw, ssa, .ssk, .St,. ste, .stm, .stn, .stp, .str, .strings, .stw, .stx, .sty, .sub, .sumo, .sva, .svf, .svg, .SVGZ, .swf, .sxd, .sxg, .sxw, .t2b, .tab, .tar, .tb0, .tbn, .tcx, .tdf, .tdt, .teacher, .tex, .text, .tfc, .tg, .tg4, .tga , .thm, .thp, .thumb, .tif, .tiff, .tM, .tm2, .tmd, .tmp, .tmv, .tmx, .to, .TP, .tpc, .tpi, .trelby,. trm, .tvj, .txt, .u3d, .u3i, .udb, .ufo, .uga, .unauth, .unity, .unx, .UPD, .usertile-ms, .usr, .utf8, .utxt,. v12, .vault, .vb, .vbr, .vc, .vct, .vda, .vdb, .vec, .vml, .vnt, .vpd, .vrml, .vrp, .vsd, .vsdm, .vsdx, .vsm, .vst, .vstm, .vstx, .vw, .wav, .wbc, .wbd, .wbk, .wbm, .wbmp, .wbz, .wcf, .wdb, .wdp, .webdoc, .webp , .WGZ, .wire, .wm, .wma, .wmd, .wmf, .wmv, .WN, .wot, .WP, .wp4, .wp5, .wp6, .wp7, .wpa, .wpb,. wpd, .wpe, .wpg, .wpl, .wps, .wpt, .wpw, .wri, .ws, .wsc, .wsd, .wsh, .x, .x3d, .x3f, .xar, .xbdoc, .xbplate, .xdb, .xdl, .xld, .xlgc, .xll, .xls, .xlsm, .xlsx, .xmind, .xml, .xmmap, .xpm, .xwp, .xx, .xy3, .xyp , .xyw, .y, .yal, .ybk, .yml, .ysp, .z, .z3d, .zabw, .zdb, .zdc, .zi, .zif, .zip, .zw

As it became standard, malicious encryption of the data will affect not only the information on the infected PC, but also data available on the network drives.

At this point, you may ask yourself:

Could all this money really go to charity or is it just another trick?

While there’s no way of telling the truth (at the moment), we can hardly trust cyber criminals to have a kind and generous side to them. Real life is nothing like the movies.

What you can do is follow some top tips to keep your data safe from ransomware and, in case you do get hit, not pay the ransom. Even the FBI came around after last year’s statements, and it now emphasizing that:

The FBI doesn’t support paying a ransom in response to a ransomware attack.

Source.

So it’s up to you to do anything your can to keep your data safe. Remember that having multiple backups is always the best solution.

Later edit [May 6, 2016]: Sightings of this ransomware strain were also reported a few days prior to our article and even earlier, in April.

If you liked this post, you will enjoy our newsletter. Receive new articles directly in your inbox

* This article features cyber intelligence provided by CSIS Security Group researchers.