MindLost Ransomware Emerges

The MalwareHunter team has been tracking a new ransomware called MindLost. The security researcher has been tracking samples of this new ransomware since January 15. The new strain encrypts users data then redirects the now victim to an online page to pay the ransom via credit/debit card. MindLost referred to by Microsoft as Paggalangrypt, is not being actively distributed as of yet, leading researchers to believe it is still currently under development. Despite not been complete the ransomware does work and targets the following extensions .c, .jpg, .mp3, .mp4, .pdf, .png, .py and .txt. for encryption. It also searches for the file extension within the storage devices and folders to encrypt files.

Work in Progress

One of the biggest clues that MindLost is still a work in progress is that the ransomware is that it the filter designed to target specific extensions in order to save time is not active. Searching and encrypting files on all the storage mediums is time-consuming, so current MindLost samples bypass this behavior and only encrypt files in the "C:\\Users" folder. More stable versions will likely have a filter in order to be more efficient. During the encryption, all encrypted files will receive a new extension .enc, such as a file named image.png will become image.png.enc. Once this is done the MindLost ransomware will download an image from the below URL and set it as the computer's new desktop wallpaper. This image contains instructions for recovering files. MindLost also sets a registry key to ensure its executable is started after every reboot to ensure it remains on the infected computer. On the ransom note that is now the desktop wallpaper victims are instructed to visit the site provided and buy a decrypter app that will decrypt files.

mindlost ransowmare emerges

Non-traditional Payment Scheme

This is where things begin to get a little strange. MindLost does not ask for payment via Bitcoin, but via credit/debit card. Bitcoin is requested by the major ransomware strains as it is incredibly hard to trace those responsible. By using a card payment method means that the author had to register as a merchant and give up a wealth of information. This information often referred to as Know Your Customer (KYC) information forms the foundation of international banking’s fraud prevention policy. Surely, the malware author would wish to remain anonymous.

This has led some researchers to believe that the ransomware may be an elaborate scheme of stealing credit card details. This would explain the use of payment method and may offer the author a far more lucrative business. Once the card details are acquired the author can sell those off to other hackers or alternatively use the details himself fraudulently. There is perhaps a third reason for using such a system and is perhaps the simplest to explain; the credit/debit card payment system may be a template on an unfinished website, which the author may replace in the future.

Another thing struck researchers as being fairly unique. That being MindLost's "insurance" option, which is supposed to safeguard a computer from getting reinfected with the ransomware again. This is the second time a "reinfection tax" advertised by a ransomware strain has been seen. Spora had a similar feature called “immunity”. Spora, however, was notable for a number of reasons. It had a solid encryption routine, ability to work offline, and a very well put together ransom payment site, which was the most sophisticated seen from ransomware authors. The encryption process was seen as top notch by researchers as employed the complicated process for the creation of the .KEY file and for the creation of the encryption key used to lock each file. Although MindLost shares an “insurance” feature it seems to lack Spora’s advanced features.

Garbage Code

Overall the authors of MindLost appear to be amateurs at best. Researchers regard the coding as poor, especially when compared to other ransomware strains. There are a number of examples of this, the first being that the binary contains file paths that include a man's name (Hi Daniel Ohayon!). While this could be a false flag meant to make researchers follow wrong leads, it is not the only mistake. The ransomware binary also comes with hardcoded credentials for MindLost's remote database. Shipping hardcoded database credentials in a binary are as bad as it gets when it comes to good programming practices. This is mainly because it can be regarded as a massive fail as any security researcher analyzing the ransomware can connect to this database and retrieve victim data, such as encryption/decryption keys.

The MalwareHunter team have only detected four samples of the MindLost ransomware with all appearing to be still in development. It is hoped that the author will give up the attempt. However, if the ransomware begins to be distributed victims should be wary of inputting payment card details in the ransom payment form, as it could also lead to mysterious transactions appearing on card statements later down the road.

Indicators of Spectre and Meltdown being leveraged

In other malware related news, it would seem that researchers are seeing an ever-increasing number of malware samples that are experimenting with the Meltdown and Spectre vulnerabilities. According to experts at AV-TEST, Fortinet, and Minerva Labs, several individuals are experimenting with publicly released proof-of-concept (PoC) code for the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5715, CVE-2017-5753) vulnerabilities. Researchers from AV-TEST have detected 119 malware samples that are related to the aforementioned CPU vulnerabilities.

While this may at first glance appear to be a worrying development given that generations of CPUs are susceptible to the exploits if unpatched. There may be a less worrisome answer to explain the increase. All evidence suggests most of these detections are security researchers playing with the PoC code, but experts won't rule out that some samples are from malware authors looking for ways to weaponize the PoC code for malicious actions. This explanation is supported by the fact that no in the wild samples have been detected.