There have been reports of an encryption ransomware Trojan that was first observed on Github, a public platform used by programmers to connect, collaborate, and post different types of resources. When posting the Relec Ransomware on Github, its author included the following text, urging computer users to avoid using the Relec Ransomware for real-world attacks:
Ransomware application clone with administration dashboard.
This project only educational purpose. Don't use it for real-world application. Ransomware application is developed at C++ language. Dashboard is developed at Python via flask framework.'
Trojans released as proof of concept or for educational purposes almost invariably manage to be applied for harmful attacks in the real world. This is, for example, the case of HiddenTear, an infamous open source ransomware engine that was first released in 2015 publicly and has been responsible for countless ransomware attacks and variants.
The Relec Ransomware Exploits Windows Features to Attack a Computer
The Relec Ransomware takes advantage of native Windows API to carry out its attack. The Relec Ransomware was first observed on November 12, 2017, and seems to be in development currently. The Relec Ransomware carries out a highly effective encryption routine that takes the victim's files hostage, transferring its decryption key to Command and Control servers controlled by the people responsible for these attacks. The Relec Ransomware attack itself does not differ very much from the many other ransomware Trojans that are active currently. The Relec Ransomware will target the user-generated files in its attack, searching for specific file types such as the following:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
A brief Description of the Relec Ransomware Features
The Relec Ransomware has several features that make it a potential threat if it starts being applied to real life attacks. The Relec Ransomware has a control dashboard that is accessible through the Internet. In the Relec Ransomware's features list on Github are the following features:
- Ability to target specific file formats.
- Change the infected PC's desktop background image.
- A comparatively small footprint — 250 KB.
A con artist using the Relec Ransomware to carry out attacks would use a delivery method, such as a spam email attachment containing the Relec Ransomware Trojan. Once the Relec Ransomware carries out its attack and encrypts the victim's files, the Relec Ransomware would deliver its ransom note in a text file, which is named by default 'Doc1.txt,' as well as displaying its ransom note in a program window. The Relec Ransomware ransom note reads as follows:
'Sorry, But You Have Been Hacked
Send 1 bitcoin for key
Bitcoin [BTC ADDRESS]
Key [TEXT BOX]
The Relec Ransomware uses the XOR encryption in its attack, rather than a combination of the RSA and AES encryptions, which are favored by most ransomware Trojans. This indicates that it is potentially possible for PC security researchers to develop a decryption program to help computer users restore their data after the Relec Ransomware has encrypted it. Computer users should take precautions against the Relec Ransomware and other ransomware Trojans, which may include having backup copies of their files and using an up-to-date and effective security program.