March 27, 2017
It has been a while since a new ransomware strain was discovered. Rest assured criminals are still coming up with new angles in order to defraud as many people as humanly possible. LLTP Ransomware, also known as LLTP Locker, is targeting Spanish-speaking computer users, which somewhat limits its potential. That being said, ransomware is never fun to deal with, even when it only targets a specific group.
LLTP RANSOMWARE IS AN INTRIGUING MALWARE TYPE
Security researchers are pretty convinced the LLTP ransomware strain is based on the VenusLocker ransomware, which was released a while ago. It is not uncommon for cybercriminals to copy someone else’s work, especially where malware is concerned. Additionally, the rise in popularity of ransomware-as-a-service opens the door for the development of new ransomware types based on the same source code.
As one would expect from LLTP Ransomware, the malware will encrypt computer files. However, there is a slight twist, as this malware will go about its business regardless of whether the user is connected to the internet. That is not always the case, as most popular types of ransomware will connect to a command-and-control server before encrypting files. LLTP is doing things a bit differently in this regard, yet that is not the only unique part.
To be more specific, the LLTP ransomware will communicate to a command-and-control server once an online connection is detected. Once the connection is made, the server will respond with an AES password used to encrypt the victim’s files. However, when it does not find the internet connection, the ransomware will generate an AES key on its own. Quite an intriguing development, that much is certain
LLTP encrypts files by using different file extensions based on the original extension. Virtually every type of ransomware renames files with the ransom family name as the new extension. While this may seem to be a small change, it goes to show some thought went into developing this new malware strain. This also makes it more difficult for security researchers to create a free LLTP decryption tool, although that situation may come to change in the future.
Recovering from an LTTP infection is proving to be quite difficult, though. As soon as the encryption process has been completed, the shadow volume copies on the computer will be removed. This means restoring files from a backup will be virtually impossible. A handy note will be generated on the desktop to explain what has happened to the computer user. All of this will be done in Spanish, of course, although it is not unlikely we will see more localized versions of this malware in the future
At the time of writing, the LTTP ransomware demands a US$200 payment, to be made in bitcoin. Paying this ransom is never the right course of action, even though there is no other way to get rid of this malware by any means. What is rather intriguing is how the bitcoin address used for payments seems to be the same for every victim. This is a godsend for Blockchain analysis companies which may investigate the address. So far, no payments have been made to this address, though.
News Courtesy : https://themerkle.com/bitcoin-ransomware-education-lttp/