CyberWisdom Safe Harbor Commentary on Spritecoin Ransomware
Ransomware itself is a “wizard money” wallet, which requires users to create the password they want, rather than downloading the blockchain, which encrypts the victim’s data file.
The malware claims a ransom of 0.3Myero ($ 105 at the time of writing) and ransom “your file is encrypted” on the target system.
Malware includes an embedded SQLite engine, which leads experts to believe it also implements certificate collection for Chrome and Firefox credential storage. Malicious code appends the encrypted file extension to the encrypted file (ie resume.doc.encrypted).
While decrypting the files, Spritecoin ransomware also deployed another malware that can collect certificates, parse images and control webcams.
“If the victim decides to pay and gets a decryption key, they will be delivered a new malicious executable [W68 / Generic! Tr.
“Although we have not fully analyzed this malicious payload, we can verify that it has the ability to activate a webcam and parse certificates and keys, which may make the victim more compromised than before.
Experts speculate that ransomware is being broadcast through forum spam, targeting users who are interested in cryptocurrencies.
“Attackers often use social engineering and crafted malicious mail spoofing to entice victims to run these executables, which often use compelling filenames to lure victims to open files. Often, ransomware requires some user interaction to succeed Hazardous to the victim’s machine. ”
In this case, the threat arrives as a SpriteCoin package (spritecoind [.] Exe) in the name of a SpriteCoin encrypted currency wallet.
Once installed on the victim’s machine, the malware prompts the user “Enter the wallet password you want.”
SpriteCoin ransomware connect to TOR
When the victim provided the document, Spritecoin ransomware informed the user that the blockchain was being downloaded and that it was actually encrypting the document.
Ransomware connects to a TOR site via an onion agent (http: // jmqapf3nflatei35 [.] Onion.link / *), which allows the victim to communicate with the attacker’s website without the need for a TOR connection.
Fortinet discovered a strain of ransomware dubbed Spritecoin ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store. Researchers from Fortinet FortiGuard Labs has discovered a strain of ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store. The ransomware poses itself as a “spritecoin” wallet, it asks… Engaging post, Read More…
thumbnail courtesy of securityaffairs.co
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »