1870
Home Ransomware Detailed Technical Analysis of Random Locker Ransomware (SOLVED!)
Detailed Technical Analysis of Random Locker Ransomware (SOLVED!) Detailed Technical Analysis of Random Locker Ransomware (SOLVED!)
Ransomware | 05/08/2018

Detailed Technical Analysis of Random Locker Ransomware (SOLVED!)


In this technical analysis of the random locker Ransomware, our security experts (HTRI TEAM) review the details of the randomlocker ransomware campaign and steps to take to protect against such attacks. This ransomware arrives via Email / Phishing Campaign.

RandomLocker Ransomware Overview

Randomlocker is a part of the ransomware family. This ransomware arrives via Email / Phishing Campaign.

This is a new ransomware and it’s recently captured by the security researcher. This ransomware mainly targets the Desktop and encrypts the file contents that matches with its extension filter criteria.

This ransomware appends the filename by adding .rand extension in the last.

Flow Chart

Spread via Spam Emails or Phishing Campaigns

Manually installing the ransomware.

Generate the unlock key and show the files path that’s going to be encrypted

Once you Click on the Start button, it starts the execution process automatically.

Technical Analysis of RandomLocker Ransomware

File Name: ransomware.exe

MD5: E74337A316AB212978AB38838D184F5D

File Type: Executable

Spread Via:  Emails or Phishing Campaign.

Build In: .Net Application

Detailed Analysis with Screenshot:

On execution of this Ransomware, it displays the following window that generates the unlock key along with the file paths that are going to be encrypted if the user clicks on the Start button.

random locker ransomware startup window

Figure 1 RandomLocker Startup Window

As shown above this ransomware sends the Unlock Key to their server and stored it into Pass.txt file.

This ransomware requires the internet connection for successful execution otherwise it will throw the exception message (“The remote server returned an error. (502) Bad Gateway”)

random locker network error

Figure 2 Network Error

On clicking the start button it initiates the encryption process on preloaded file paths.

This ransomware mainly targets the “Desktop Folder” on the system.

This ransomware doesn’t encrypt or delete the “volume shadow copies” or restore point from the system. As shown below, victim can easily recover the files by using restore points functionality.

random locker restore points

Figure 3 Restore points

This ransomware encrypts only those files that matches its extensions criteria and appends the filename with “.rand” extension:

.scr .reg .pif .msi .lnk .cpl .com .cmd .bat .bas .docx .pptx .xlsx .xbap .xps .pdf .pot .hta .xlt .pps .xlw .dot .rtf .ppt .xls .doc .xml .htm .html .exe .mht .zip .dvr-ms .wvx .wmx .wmv .mpv2 .mpg .mpeg .mpe .mpa .mp2v .mp2 .m1v .IVF .asx .asf .wax .snd .rmi .m3u .aiff .aifc .aif .midi .mid .wma .wav .mp3 .wmf .tiff .tif .rle .png .jpeg .jpe .jpg .jfif .ico .gif .emf .dib .bmp .avi

Once the encryption has completed, it automatically downloads the image file and drops it into the “Pictures Folder” and on the “Desktopof the system then change the Desktop wallpaper with the downloaded image that contains the message along with “RandomLocker” Count Down Timer Screen.

random locker downloaded image

Figure 4 Downloaded Image

As shown below, this ransomware has started the countdown timer for 2 Hours. If the victim didn’t pay any amount in that duration, all the files will be deleted automatically.

random locker count down timer

Figure 5 CountDown Timer

During this analysis, we tried to decrypt the files by using the “Unlock Key” which was generated by the ransomware in the starting.

By using the “Unlock Key”, this ransomware only decrypts the 5 files.

random locker decrypted files

Figure 6 Decrypted Files

In case, if the person tries to enter the wrong key more than 3 times, in that case all the encrypted files will be deleted immediately from the system and the timing of the CountDown Timer becomes 00:00:00

random locker files deleted

Figure 7 Files Deleted

As shown above, “Ransomware Author” has demanded for 10$ in bitcoins at following bitcoin address: “3GPg3tgwZakR5uTELzjMJRj1NarxHH9YdJ” and also warns the victim. If the user didn’t pay on time within 24 hours after encryption, the server will destroy the key.

Once the payment has been done victim have to send the mail on the following Email ID: randomlocker@tuta.io

random locker ransomware author email id orginal

Figure 8 Ransomware Author Email_ID

 

Network Information:

During analysis of this ransomware, we found that this ransomware attempts to connect with their C&C panel (Command & Control) Server to starts its encryption process.

Ransomware author creates the Victim ID on the server by using “victim computer’s name” and under that store’s the password (pass.txt) file.

random locker ransomware network information (howtoremoveit.info)

Figure 9 Network Information

As shown above, this ransomware downloads the image from wallpaper-gallery[.]net.

During analysis we also found the web panel of the C&C Server (Command & Control)

random locker ransomware admin panel (howtoremoveit.info)

Figure 10 Admin Panel

IOC’s

File Hash: E74337A316AB212978AB38838D184F5D

Network Connections:

IP Address

85.93.88.116

Spread via Spam Emails or Phishing Campaigns

Latest Reported Threats

View More Reports

Newsletter

×
×

(0) Comments

Be the first to comment
#include file="../statichtml/static_notification.html"

1

ITLSecureVPN_setup.exe
2

3

1

2

3

1

2

3