Cryptme Ransomware

The global pandemic affects nearly every aspect of our daily lives and necessitates a dramatic change in both workplace and home routines. One of the sectors that were forced to adapt to using new technologies quickly was the education system with teachers having to rapidly acquire the skills needed to carry out lessons in an entirely online environment. Issues and problems are guaranteed to pop up, and, apparently, cybercriminals were ready to take advantage of it with the researchers at Proofpoint detecting a finely-crafted ransomware campaign precisely targeted at individual teachers.

The hackers distributed emails that masqueraded as being sent from a student's parent or guardian and supposedly delivering an assignment from the student. The pretense was that unknown issues had prevented the student from submitting the assignment in the usual way. The titles of the emails were variations of 'Son's Assignment Upload,' 'Assignment Upload Failure for [Student's Name]' or '[Student's Name]'s Assignment Upload Failed,' while the attached malware-laced files were named [Student's Name]-assignment.docx" and were placed inside a zip file "[Student's Name]-assignment.zip.'

A Custom-Crafted Malware Delivered to Teachers

The malware found inside the email attachments abused Remote Template injection to download another threatening document. If the targeted user has macros enabled, it opens the way for the malware executables to be downloaded. The hackers behind the campaign used a free code hosting service called notabug.org to deliver the executable files. Another curious characteristic of the threatening operations is that the attackers receive an email or SMS message when an executable is started by exploiting a free web bug service called Canarytokens.

As for the main payload delivered to the compromised machine - it is a custom-made ransomware threat, the Cryptime Ransomware, that the hackers wrote in the Go programming language and named it 'cryptme.' The malware is delivered as two executables - 'ctool.exe' and 'etool.exe,' one being a wrapper needed to initiate the other. Files encrypted by the threat have '.cryptme' appended to their original filenames. The ransom note is delivered as a text file named 'About_Your_Files.txt' that is created on the desktop of the compromised systems. A pop-up window with a slight variation of the same text is also displayed by the threat.