Threat Database Ransomware Exotic Squad Ransomware

Exotic Squad Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 33
First Seen: October 13, 2016
Last Seen: March 16, 2023
OS(es) Affected: Windows

The Exotic Squad Ransomware is an encryption Trojan that is written in the Visual Basic programming language. The Exotic Squad Ransomware is a threat that is deployed to users via spam emails loaded with corrupted DOCX and PDF files. The distribution campaign for the Exotic Squad Ransomware might include logos and promotional images from well-known services like PayPal and Amazon to appear benign and lure users into downloading an attached file.

The Exotic Squad Ransomware Requires Users to Run It

Still, the main executable for the Exotic Squad Ransomware cannot run if the user chooses to avoid opening the corrupted file. If you are suspicious of a file you received via email—scan it with your AV product and upload a sample to the Google's VirusTotal platform as a security measure. The Exotic Squad Ransomware targets users running the Windows OS and does not need elevated privileges to operate, which prevents users from noticing its activity. AV applications are known to detect the Exotic Squad Ransomware under names like:

  • Ransom_EXOTIC.A
  • Trojan.Win32.Generic.pak!cobra
  • Trojan.win32.skeeyah.a!rfn
  • Win32.Trojan.Gen.Eyb
  • Win32/Trojan.Ransom.685
  • Win32:Malware-gen

Malware researchers report that the executable for the Exotic Squad Ransomware does not include a valid digital certificate and publisher information. The encryption engine of the Exotic Squad Ransomware is not exotic and functions the same way as the one used for the NCrypt Ransomware. The Exotic Squad Ransomware is programmed to use the AES-256 encryption algorithm to lock the files stored on your drives. Researchers note that the Exotic Squad Ransomware can lock most data containers used to store images, text, videos, spreadsheets, audio and databases. The Exotic Squad Ransomware is known to target the following extensions:

.txt, .exe, .text, .cur, .contact, .ani, .xls, .com, .url, .ppt, .src, .cmd, .tgz, .fon, .pl, .load, .CompositeFont, .png, .exe, .mp3, .mkv, .veg, .mp4, .lnk, .zip, .rar, .7z, .jpg, .sln, .crdownload, .msi, .vb, .vbs, .vbt, .config, .resx, .vbproj, .json, .jpeg, .scss, .css, .html, .hta, .ttc, .ttf, .eot, .camproj, .m4r, .001, .002, .003, .004, .005, .006, .007, .008, .009, .au, .aex, .8be, .8bf, .8bi .abr, .adf, .apk, .ai, .asd, .bin, .bat, .gif, .3dm, .3g2, .exe, .3gp, .aaf, .accdb, .aep .aepx .aet, .ai, .aif, .anv, .as, .as3, .asf, .asp, .asx, .avi, .bay, .bmp, .cdr, .cer, .class, .cpp, .contact, .cr2, .crt, .crw, .cs, .csv, .d11, .db, .dbf .dcr .der .dng .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .dxg, .efx, .eps, .erf, .fla, .flv, .iso, .idml, .iff, .ini, .sik, .indb, .indd, .indl, .indt, .iconx, .jar, .jnt, .jnt, .java, .key, .kdc, .m3u .m3u8, .m4u, .max, .mdb, .mdf, .mef, .mid, .mov, .mpa, .mpeg, .mpg .mnv, .msg, .nef, .nnv, .odb, .odc, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .plc, .pdb, .pdf, .pef, .pem, .pfx, .php, .plb, .pmd .pot .potm .potx .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .pst, .ptx, .r3d, .ra, .raf, .raw, .rb, .rtf, .rw2, .rwl, .sdf, .sldm, .sldx, .sql, .sr2, .srf, .srw .svg, .swf, .tif, .vcf, .vob, .wav, .wb2, . wrria, .wmv, .wpd, .wps, .x3f, .xla, .xlam, .xlk, .x11, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx.

The Exotic Squad Ransomware Uses an HTA Application and the Windows Messaging Service to Notify the User of a Successful Encryption

The same behavior was introduced with the Black Feather Ransomware, which took advantage of built-in Windows services to deliver the ransom note. Reports reveal that users infected by the Exotic Squad Ransomware are shown a dialog box that says:

'Windows are Infected, by the EXOTIC Virus!
Try to Kill or Delete me i kill your PC!
Have a nice day =)'

The notification is followed by a window loaded with a picture of Adolf Hitler and the title 'You got fucked by EXOTIC SQUAD.' However, there is no evidence to support connection with the Hitler Ransomware. When the image fades away a text message appears and says:

'ALL YOUR FILES HAVE BEEN ENCRYPTED
Hello, all your Computer files have been encrypted. But, don't worry! I haven't deleted them all. So you have 72 hours to pay 50 USD in BitCoins to my BitCoin Address to get your files back! Every 5 hours files will be deleted. After 72 hours all that are left will be deleted! We will format your hard-drive when you restart the Computer! The Timer starts now! Dont fuck with EXOTIC Squad!
TIME LEFT: [72 hours]
Send 50 USD worth of BitCoins here: [34 random characters]
'

50 USD may not seem like much, but you should take into consideration that the makers of the Exotic Squad Ransomware are not obliged to send you a decryption key. Crypto malware developers may install a backdoor Trojan on your PC as we have seen with the Pokemon GO Ransomware. Computer users should consider using clean backups to restore their data instead of paying the ransom. Keep in mind that you will need to clean your Windows OS with a reputable anti-malware suite before you proceed to restore your data.

Trending

Most Viewed

Loading...