10/25/2024 | Press release | Distributed by Public on 10/26/2024 02:07
The SonicWall Capture Labs threat research team has encountered a recently released ransomware from an Iranian team of hackers. The group has named themselves hackersadism. The group does not appear to be targeting large corporations at this time as they only charge $2000 in BNB (Binance coin crypto) for file restoration. The price for file retrieval is also negotiable. During our analysis, we were able to converse directly with the malware operator and negotiate payment.
Upon executing the malware, files on the system are encrypted. Each file is given a new file extension consisting of 4 alphanumeric characters. When the encryption phase is complete, the following image is displayed on the desktop background:
Figure 1: Desktop image
A file named read_it.txt is dropped on to the desktop and contains the following message in Farsi:
Figure 2: Ransom message
A rough translation from Farsi to English is as follows:
Figure 3: Translation
The malware is easy to decompile and contains no obfuscation. After decompiling the code, we can see its inner workings and intentions.
Before encryption, a region check is performed. If az-Latn-AZ (Latin, Azerbaijan), tr-TR (Turkish) locales are detected on the system, the program exits:
Figure 4: Region check
If the following system files and directories are encountered during the encryption process, they are ignored:
Figure 5: Ignored system files
The following file types are targeted for encryption:
Figure 6: Targeted file types
Anti-virus, system administration, databases and backup tools are disabled if found to be running:
Figure 7: Targeted services to shut down
System recovery features that are built into Windows are disabled:
Figure 8: Disabling system recovery
The ransom message tells the victim to communicate with the operator @hackerSadism using Telegram. The Operator uses the following user image:
Figure 9: Telegram user image
We had the following conversation with the operator to negotiate payment for file retrieval:
Figure 10: Chat with operator
SonicWall Capture Labs provides protection against this threat via the following signature:
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.