In addition to encrypting files, a new strain of ransomware also attempts to carry out a DDoS attack, albeit a weak one.
The ransomware, FireCrypt, was uncovered by forensic experts at MalwareHunterTeam and analyzed by Bleeping Computer’s Lawrence Abrams on Wednesday.
The malware technically comes as a ransomware building kit named BleedGreen (see below), according to a report from Abrams’ Bleeping Computer site. It’s only after victims launch an executable that’s been generated by FireCrypt’s distributor and disguised as a .DOC or .PDF, that they become infected. From there the ransomware takes aim at the machine’s Task Manager. After killing the process it encrypts 20 different files, appending “.firecrypt” to the end of each file.
Like most ransomware variants, FireCrypt tells users their files have been encrypted and demands a sum, $500 in Bitcoin, to decrypt them.
After FireCrypt has encrypted files it does something that other ransomware strains don’t. Embedded in the source code is a function that connects to a hardcoded URL, downloads content and saves it to a temporary file on the infected machine. According to Bleeping Computer, the URL, pta.gov.pk, corresponds to Pakistan’s Telecommunications Authority. FireCrypt goes on to download and fill a machine’s %Temp% folder with junk files from the site, the report claims. The intent of the function is to carry out a DDoS attack of sorts. In reality, it’s a weak attempt and according to Abrams, would take a while to do any damage to the site.
“The crook would have to infect thousands of victims before launching a DDoS attack large enough to cause any problems to the Authority’s website,” reads the post, “Furthermore, all victims should be infected at the same time, and have their computers connected to the Internet in order to participate in the DDoS attack.”
While the DDoS functionality sets it apart from other types of ransomware, FireCrypt isn’t completely original. According to researchers, it shares a few traits with another strain of ransomware, Deadly for a Good Purpose, which was also discovered by MalwareHunterTeam, back in October. Both variants have similar ransom notes, source code, email addresses and Bitcoin addresses, suggesting they either share the same author or that FireCrypt is simply a rebranded version of Deadly for a Good Purpose.
Abrams said Thursday that the developer behind FireCrypt probably thought it’d be fun to incorporate a DDoS component. That said, he doesn’t foresee other attackers building off the idea.
“A properly executed DDoS attack via computer malware requires persistence and concealment. This is completely at odds to a successful ransomware campaign, which wants to get in and out, leave a ransom note and wait for payments. Very few leave any persistence other than the displaying of ransom notes,” Abrams said.
The fact the DDoS component would likely be caught by an anti-malware scanner makes it less functional as well, Abrams claims.
“The act of encrypting a computer will cause a victim to scan their computer for other malware, which would then detect the persistent DDoS component. Therefore, “I do not see this as a viable method of performing these types of persistent attacks,” he said.