Researchers who dig deep through the code of one of the latest strains of ransomware might be surprised and even a little irked at what they find. Hidden inside some of those strings of code are taunts aimed at them.
According to Lawrence Abrams who runs BleepingComputer.com, the malware, BlackShades Crypter a/k/a SilentShades was spotted late last month by a researcher that goes by the name Jack, targeting both users in the United States and Russia. The ransomware behaves like most variants and once a user is infected it goes ahead and encrypts users’ files with an extension, in this case “.silent.”
"SilentShade" eng/rus ransomware encrypts with .silent extension and uses "Black Shades" name. $30 unlock fee. pic.twitter.com/BXJtYF2jFW
— Jack (@malwareforme) May 25, 2016
The ransomware encrypts mostly everything it comes across, users’ downloads, documents, pictures, music, and desktop folders, to name a few.
“During different stages of the encryption process it will check again for the ability to connect to Google, and if possible, will connect to the Command & Control server and send an update that contains the count of files that have been encrypted,” Abrams wrote in a blog post about the ransomware Friday.
After users have been hit, it’s actually fairly cheap to decrypt files, Abrams claims. Users will be instructed to visit a site and pony up as little as $30 in Bitcoin or PayPal to retrieve their documents, then email the attackers at a Proton Mail address.
As Abrams points out, the fact that a cybercriminal would want to use PayPal at all is a perplexing move.
“The use of PayPal is an odd choice for any criminal activity as it can easily be traced,” Abrams writes.
Perhaps as an Easter egg, those who look between the lines will find a few surprises nestled in the code of Black Shades however.
Messages, most of which are base64 encoded, others which use basic string manipulation, contain hidden notes to researchers, taunting them. According to Abrams, some of the messages decode to things like “YoxcnnotcrackthisAlgorithmynare>idiot<” and “youaresofartocrackme.”
One string, after its decoded from Russian, reads: “you can not hack me, I am very hard.”
The source of BlackShades infections remains to be seen but according to Abrams’ post, researchers with MalwareHunterTeam believe the ransomware is primarily distributed via fake videos, fake cracks, or fake patches.
The ransomware doesn’t appear to have anything in common, except its name, with Blackshades, a remote access Trojan that was previously sold on underground criminal forums for $40. A few years ago attackers used the malware to pilfer data and spy on victims, namely Syrian dissidents.