It is currently 16-12-2017 12:15

A fan of the Thriller "the purge" attacks its victims with extortionate AT

A fan of the Thriller "the purge" attacks its victims with extortionate AT

by sigismund » 2016-08-25 12:33:46


unlike other Trojans, cryptographers Globe encrypts files using the Blowfish algorithm, not AES.


In recent years, as never before there is mutual penetration of the pop-culture of hacking was to take at least the emergence of new Trojans-encoders and Pockemon GO f society, named in honor of the television series "Mr. Robot" and the popular game pokemon. As reported by Bleeping Computer, security expert xXToffeeXx found a piece of rent-seeking AT the Globe, created, obviously, a fan of American Thriller-dystopian "the purge" "The Purge").

Globe operates in the same way as the majority of ransomware. Once on the victim's system, the malware encrypts the files, adding the extension .purge and displays a notice requiring redemption. As Wallpaper used poster for "the purge 3". However, unlike other Trojans, cryptographers Globe encrypts files using the Blowfish algorithm, not AES. Moreover, instead of text or HTML to notification and ransom use HTML Application (HTA).

Currently, it is unknown how the malware gets onto victims ' computers. Once installed on the system Globe checks whether it is running in a sandbox or on a virtual machine, for example, Anubis, VirtualBox, VMware or Virtual PC. Finding a sandbox or virtual machine, the malware ceases further activity, otherwise, proceeds to the encryption.

In the process of encryption in the folder with encrypted files, the ransomware creates a notification with a ransom demand in the form of a HTA document (How to restore files.hta) and initiates the process startup How to restore files, which opens a notification each time you start Windows. In the encryption process removes the Globe of shadow copies, and deactivates the function of automatic system recovery after a failed boot (Startup Repair).

After completing the process, the blackmailer reveals How to restore files.hta. The notification will contain a unique user ID and contact details (email address [email protected] and the address BM-2cUrKsazEKiamN9cZ17xQq9c5JpRpokca5 messenger out bitmessage).
As a preliminary analysis of the Globe did not reveal any vulnerabilities in encryption, to develop a tool that would allow to recover encrypted files without paying the ransom is not yet possible.
sigismund
moderators
Сообщений: 788
Депозит: 0 BTC

Rating: 5