A new ransomware called MoneroPay has been discovered that tries to take advantage of the cryptocurrency craze by spreading itself as a wallet for a fake coin called SpriteCoin. While users were installing what they thought was a new cryptocoin, MoneroPay was silently encrypting the files on the computer.
SpriteCoin Wallet spread on the popular BitCoinTalk Forum
First discovered by security researcher MalwareHunterTeam, this ransomware started distribution around January 6th in a topic posted to the largest cryptocoin forum called BitcoinTalk. This topic was used to announce the release of a new Altcoin called SpriteCoin.
The forum topic contained a link to an offline site that contained a brief page about SpriteCoin with a further link to a wallet.
While this topic has since been removed, it was posted in the site’s Altcoin discussion forum, which is a common place for cryptocurrency developers to announce new coins. With cryptocurrency being so hot right now, and potentially very lucrative, when a new coin is launched many people quickly download the coin’s wallet in order to begin mining it before its difficulty increases too much.
Once a user downloaded and ran the wallet, it would load up and go through what appeared to be a normal setup for a new cryptocoin wallet.
As there have been many false positives regarding wallets in the past, some miners disable their AV when testing new wallets. The MoneroPay ransomware was banking on this knowledge as a good way to get the ransomware installed quietly and without the user knowing until it was too late.
MoneroPay quietly encrypts a computer while the fake wallet synchronizes
When you install a cryptocoin wallet for the first time, the wallet first needs to connect to the coin’s network and synchronize itself with the blockchain. Depending on how many coins have already been mined and the speed of the network, this process can take a long time.
Knowing this, the ransomware developer started encrypting the computer while the SpriteCoin wallet pretended to download and synchronize the blockchain. As this normally takes a long time and could cause a lot of hard drive activity, it was the perfect cover for the MoneroPay ransomware.
While MoneroPay encrypts files, it will target files that match the following extensions:
txt, doc, rtf, cpp, tcl, html, ppt, docx, xls, xlsx, pptx, key, pem, psd, mkv, mp4, ogv, zip, jpg, jpeg, work, pyw, hpp, cgi, rar, lua, img, iso, webm, jar, java, class, one, htm, css, vbs, eps, psf, png, apk, ps1, wallet.dat
Of particular interest is that the ransomware appears to be targeting extension that are associated with programming languages. This may be because cryptocoin wallets tend to be used by those who are more technically inclined.
When encrypting a file MoneroPay will append the .encrypted extension to the encrypted file’s name. For example. test.png would be renamed as test.png.encrypted.
While the ransomware is running it will also attempt to retrieve passwords stored in Firefox and Chrome. These passwords as well as information about the victim and their computer is uploaded to a C2 server located at jmqapf3nflatei35.onion.link.
When the fake block synchronization is completed, the MoneroPay lock screen will appear and display the ransom note. This is also most likely the first time that the victim realizes that they have been infected with ransomware.
This lock screen requests .3 Monero (XMR), or approximately $120 USD, in order to get the decryption key. It is not known if anyone has paid the ransom and successfully decrypted their files.
CryptoCoin enthusiasts need to take extra precautions against malware
In order to protect yourself from ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
For cryptocoin enthusiasts, you unfortunately have to pay a bit more attention than most people. Cryptocoins have always had a history of wallets being infected, people using malware to steal coins, and more. Therefore it is absolutely important that anyone who downloads a new cryptocoin wallet first scan it using VirusTotal to make sure it’s not infected.
Even if it comes up clean, I still suggest that you first test wallets using a virtual machine such as VirtualBox and only use wallets from known organizations. This is because even if a wallet comes up clean and does not display any outward malicious behavior, you still have no idea if it’s doing something malicious behind the scenes.
You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.
Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:
- Backup, Backup, Backup!
- Do not open attachments if you do not know who sent them.
- Do not open attachments until you confirm that the person actually sent you them,
- Scan attachments with tools like VirusTotal.
- Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
- Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
- Use hard passwords and never reuse the same password at multiple sites.