by Tara Seals
January 22, 2018
A new ransomware that only accepts Monero for payment has emerged, attempting to trick victims by masquerading as a password-protected storage mechanism for SpriteCoin. SpriteCoin doesn’t exist, however – it’s a fictional cryptocurrency.
According to Fortinet FortiGuard Labs, the malware claims to be a wallet and asks the user to create their desired password. It doesn’t actually download blockchain, however; rather, it secretly encrypts the victim’s data files and then demands a ransom in Monero cryptocurrency.
Adding insult to injury, if the ransom is paid, during the decryption phase another piece of malware is deployed with capabilities including certificate harvesting, image parsing and web camera activation.
Fortinet researchers said that the initial file is a packed executable for simple evasion. It displays the typical ransom note telling targets that “your files are encrypted” and asks for a sum of 0.3 Monero – which is equivalent to about $105 at the time of writing.
“During our analysis, we have seen indicators that the sample appears to have an embedded SQLite engine,” explained Fortinet researchers in an analysis. “This leads us to believe it is using SQLite to store harvested credentials. The ransomware first looks to harvest Chrome credentials, and if it finds nothing it then moves on and tries to access the Firefox credential store. It then looks for specific files to encrypt. These files are then encrypted with an encrypted file extension (e.g.: resume.doc.encrypted).”
The use of Monero, an open source cryptocurrency created in 2014, signals a shift away from the widely used and accepted standard Bitcoin in the ransomware space, they added.