Update 10/15/16: I have updated the article below to address that this ransomware is not continuously monitoring for files. When the ransomware runs it will target the %Desktop% first and then encrypt other folders. The last folder that is encrypted is the %UserProfile% folder, which also included the Desktop. So it appeared that it was continuously monitoring for new files, when in fact it was just encrypting %UserProfile% again and thus the Desktop got hit twice.

The Exotic Ransomware is a new infection released by a malware developer going by the alias of EvilTwin or Exotic Squad. Discovered on October 12th by MalwareHunterTeam, the Exotic Ransomware will encrypt all files, including executables, in targeted folders on a victim's computer. When finished it will display a Jigsaw Ransomware-like ransom note that demands $50 USD to decrypt the files.

The Exotic ransomware appears to be currently in development mode, with three variants released over the past three days, According to MalwareHunterTeam, the first variant contained an image of Hitler as part of the background to the ransom note, the second included a different picture of Hitler and some text, and the third contains the Jigsaw-like screenlocker shown in the video above.

Hitler Background from Version 2

In general, there is nothing particularly innovative about this ransomware, other than it targets executables as well. This causes not only your data to be encrypted, but your programs to be unusable as well.

Exotic targets Executable Files

Most ransomware infections only target data files and leave the executables alone. With Exotic, when it encrypts a particular folder it will also encrypt the executables in these folders, which makes the programs unusable.

Thankfully, most programs are properly stored in folders that are not targeted by Exotic. On the other hand, if you had downloaded files and stored them under the %UserProfile% folder, such as the Downloads folder, then these files will now be encrypted as well.

The Exotic Ransomware Encryption Process

Thanks to MalwareHunterTeam, I was able to get a copy of the source code for the Exotic Ransomware to see exactly how it works. When the ransomware starts it will scan certain folders for files that have specific extensions. When it encounters a targeted file extension, it will encrypt the file using AES-128 encryption, rename the file, and append the .exotic extension to them. For example, a file called test.jpg could be encrypted as the file name 87as.exotic.

Encrypted Files

As previously mentioned, when Exotic encrypts a computer it is currently only targeting specific folders. These folders are:

%UserProfile%\Desktop %UserProfile%\MyMusic %UserProfile%\Personal %UserProfile%\MyVideos %UserProfile%\Contacts\ %UserProfile%\Downloads\ %UserProfile%\MyPictures /vmware-host/ %UserProfile%

The file types that Exotic will encrypt are:

.txt .exe .text .cur .contact .ani .xls .com .url .ppt .src .cmd .tgz .fon .pl .lib .load .CompositeFont .png .exe .mp3 .mkv .veg .mp4 .lnk .zip .rar .7z .jpg .sln .crdownload .msi .vb .vbs .vbt .config .settings .resx .vbproj .json .jpeg .scss .css .html .hta .ttc .ttf .eot .camproj .m4r .001 .002 .003 .004 .005 .006 .007 .008 .009 .au .aex .8be .8bf .8bi .abr .adf .apk .ai .asd .bin .bat .gif .3dm .3g2 .exe .3gp .aaf .accdb .aep .aepx .aet .ai .aif .arw .as .as3 .asf .asp .asx .avi .bay .bmp .cdr .cer .class .cpp .contact .cr2 .crt .crw .cs .csv .dll .db .dbf .dcr .der .dng .doc .docb .docm .docx .dot .dotm .dotx .dwg .dxf .dxg .efx .eps .erf .fla .flv .iso .idml .iff .ini .sik .indb .indd .indl .indt .ico .inx .jar .jnt .jnt .java .key .kdc .m3u .m3u8 .m4u .max .mdb .mdf .mef .mid .mov .mpa .mpeg .mpg .mrw .msg .nef .nrw .odb .odc .odm .odp .ods .odt .orf .p12 .p7b .p7c .pdb .pdf .pef .pem .pfx .php .plb .pmd .pot .potm .potx .ppam .ppj .pps .ppsm .ppsx .ppt .pptm .pptx .prel .prproj .ps .psd .pst .ptx .r3d .ra .raf .raw .rb .rtf .rw2 .rwl .sdf .sldm .sldx .sql .sr2 .srf .srw .svg .swf .tif .vcf .vob .wav .wb2 .wma .wmv .wpd .wps .x3f .xla .xlam .xlk .xll .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .xqx

The ransomware will then download a background image for the lock screen from http://mitteoderso.de/image.png and save it into the %Temp% folder. The ransomware will then display the lock screen as shown in the video above and the image below.

Exotic Lock Screen

While the program is running it will look for certain processes and terminate them if found. The processes terminated by Exotic are:

taskmgr cmd procexp procexp64 regedit CCleaner64 msconfig

Finally, the ransomware will continue to monitor the folders listed above for new unencrypted files and encrypt them. When the timer reaches 0, Exotic will shutdown the computer.

The ransomware will also copy itself to the %UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe file, but will just become encrypted by the ransomware. Therefore, on reboot the ransomware will no longer be active.

As already stated, this ransomware appears to be currently in development mode, so you should not be seeing it in the wild as of yet. If anyone does encounter it, please let us know in the comments.

