Deadly Ransomware

The Deadly Ransomware was discovered in October 2016, and researchers found an unusual trait on this program. The Deadly Ransomware was set to encrypt files on January 1st, 2017, which is a surprise considering that most encryption Trojans are tailored to lock data as fast as possible. Malware researchers that had a look under the bonnet of the Deadly Ransomware note that the program is written on the .NET Framework and it is relatively easy to detect its operations. AV vendors detect the Deadly Ransomware under the names of:

• Atros4.ABVF
• MSIL/Filecoder.CS
• Ransom_JANBLEED.F116JA
• Trojan.GenericKD.3586576 (B)
• Trojan.Win32.Agent.nexptm
• Trojan/Win32.Agent.N2124761547

At the time of writing this article, the Deadly Ransomware appears to generate a ransom screen, which is supposed to notify the user of a successful encryption of data. The Deadly Ransomware claims to use the AES-256 cipher to lock data, but there is no evidence to support that claim. Code analysis revealed that the Deadly Ransomware is poorly configured and does not provide an ID number and payment instructions. The ransom screen looks like a template and may receive updates that include a new color scheme, new design and text message. Researchers found that the initial release of the Deadly Ransomware offers the following text:

'Deadly
for a good purpose

Your files have been safely encrypted on this PC: photos, videos, documents, etc. Click "Show encrypted files" Button to view a complete list of encrypted files, and you can personally verify this. Encryption was produced using a unique public key AES-256 generated for this computer. To decrypt files, you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files is located on a secret server on the Internet; the server will eliminate the key after a time period specified in this window. Once this has been done, nobody will ever be able to restore files… To decrypt the file you will need to send $500 USD in the form of BTC to the following bitcoin address:
&bitwallet& (link to a guide on how to buy and transfer Bitcoins)
After payment contact [email for contact] with your transaction details and [your ID]. Once the payment is confirmed you will receive decryption key along with decryption software. Any attempt to remove or corrupt this software will result in immediate elimination of the private key by the server. Beware.'

We suspect that the Deadly Ransomware may be in development at the time of writing this article. Experts say that the code of the Deadly Ransomware is not nearly as sophisticated as the one used for threats like the Fs0ci3ty Ransomware and the Kostya Ransomware. The creators of the Deadly Ransomware might be testing their distribution network and did not intend to provide information for users that consider paying the ransom. However, samples of the Deadly Ransomware seem to be dormant and do not encrypt files, which may suggest that the Deadly Ransomware will be activated in January 2017. It is equally possible that the Deadly Ransomware will receive updates and may be reworked from scratch.

Experts advise users to remain vigilant and avoid spam emails that are loaded with DOCX and PDF files, which are easily weaponized to deliver threats like the Deadly Ransomware. Avoiding spam is one of the several tactics to minimize the risk of infection with crypto malware. Computer users should be prepared for an attack with the Deadly Ransomware and create backups regularly. Installing a reliable anti-malware shield is a must while you are connected to the Internet and plug in unknown devices into your PC.