A new ransomware was discovered today by MalwareHunterTeam called Spectre. This ransomware is currently in testing mode by the developer, but due to the time and effort that has been put into it's creation, I would not be surprised to see this go into distribution soon. With this in mind, I decided to play with the sample a bit and create a quick writeup on the Spectre ransomware from my own analysis.

For those who may become infected with this ransomware in the future, you can ask for help in our dedicated Spectre Ransomware Support & Help Topic.

Spectre is Currently in Testing Mode

When Spectre is installed, it will connect to the Command & Control server at the a0142503.xsph.ru/testing.php?mode=a1 URL. The C2 server will then respond with a unique victim ID, bitcoin address, and public key that should be used to encrypt the victims files.

The ransomware will then delete the shadow volume copies and begin to scan the computer for certain file types to encrypt. The current, and very small, list of targeted extensions are:

.txt, .doc, .docx, .pdf, .rtf, .xls, .xlsx, .ppt, .pptx, .bmp, .jpg, .jpeg, .gif, .tiff, .png, .wav, .mpeg, .avi, .zip, .rar, .wmv

When Spectre encounters a file with one of the above extensions, it will encrypt the file using AES encryption and then scramble the filename and append the .spectre extension. For example, test.jpg may be encrypted and named as +1JAZ2Gafj5Y4ZRGJlsyWw==.spectre. While the file names appear to be Base64 encoded, they are actually encoded using a different format as Base64 decoding of the filenames does not work.

Encrypted Files

When it has finished encrypting the files, it will make another request to the C2 server where it sends the amount of files that were encrypted.

Spectre will now display the HowToDecryptIMPORTANT!.txt ransom note, which is placed on the desktop and in each folder that a file was encrypted. This ransom note contain the victim's unique ID and a link to the payment site.

Ransom Note

This payment site is described more in the next section.

Spectre Offers a Dedicated Payment Site

Unlike most of the ransomware infections that we see lately, the developers of Spectre have created a dedicated ransomware payment site. The site is currently hosted directly on the web, which is strange, but as this is a test the goal may be to move it eventually to TOR.

When a user visits the site, they will be presented with a login screen where they need to enter the unique ID assigned to them in their ransom note. Once they login they will be presented with a home page that displays navigation links to FAQ, Support , and Decryptor pages.

The home page provides basic information as to what happened with the victim's files and the ransom amount.

Payment Site Home Page

The FAQ page contains answers to frequently asked questions.

FAQ Page

The support page contains a form where a victim can enter their email and a message. This is a bit strange as it would probably be more secure to not use email and instead some sort of web chat system.

Support Page

Finally, the decryptor page provides instructions on how to pay the ransom and get your files back.

Decryptor Page

While the ransom is fully functional and has a dedicated support page, it does not mean that it will be definitely distributed. Only time will tell, but we will be sure to keep an eye on this new ransomware and determine if it can be decrypted in the future.



IOCs

Hashes associated with the Spectre Ransomware

SHA256: 892f3d3295171fbb0da653d77fa89c4ae35fd3437b13ac489c80db673a6f0f2c

Files associated with the Spectre Ransomware

systemlog.exe

Network Traffic associated with the Spectre Ransomware:

a0142503.xsph.ru/testing.php?mode=a1 a0142503.xsph.ru/testing.php?mode=a2&crypted=[encrypted_file_count]&id=[victim_id]

Spectre Ransom Note Text: