News

New LLTP Ransomware Appears to be a Rewritten Venus Locker

March 22, 2017

A new ransomware was discovered today by MalwareHunterTeam called LLTP Ransomware or LLTP Locker that is targeting Spanish speaking victims. On a closer look, this ransomware appears to be a rewritten version of the VenusLocker ransomware.

In summary, the LLTP Ransomware has the ability to work in online or offline mode. So regardless of whether there is a connection to the Internet, the ransomware will still encrypt a victim's files. Furthermore, unlike most ransomware, this family assigns different extensions to encrypted files based upon the file's original extension.

Unfortunately, at this time there is no way to decrypt this ransomware for free. 

How the LLTP Ransomware Encrypts a Computer

When first started, the LLTP ransomware will connect to its Command & Control server located at http://moniestealer.co.nf and send the victim's computer name, user name, and the identifier string "lltp2.4.0". From the lltp2.4.0 string, I am making the assumption that the ransomware developers consider this version 2.4.0 of the ransomware.

When the ransomware connects to the C2 server, the C2 server will respond with a AES password that is used to encrypt the victim's files and an ID that will be inserted into the ransom notes. If the ransomware is unable to connect with the C2 server, then the ransomware itself will generate this information.

The encryption password is then encrypted using an embedded public RSA encryption key and saved in a file called %UserProfile%\AppData\Local\Temp\tlltpl.tlltpl as shown below.
source save key                                                                    Saving the Encryption Key to tlltpl.tlltpl

ransom1

Below is the current embedded RSA key used to encrypt the victim's AES password.
ransom2The LLTP ransomware will now proceed with encrypting the victim's files using AES-256 encryption. Unlike most ransomware, this family utilizes a different extension for encrypted files depending on the file's original extension. With LLTP, if a file contains one of the following extensions it will append the .ENCRYPTED_BY_LLTP extension to the encrypted file.
ransom3If a file has one of these extensions, then it will use the .ENCRYPTED_BY_LLTPp extension.
ransom4

When encrypting a file it will take the original filename, Base64 encode it, and then append the appropriate extension based on the file types listed above. For example, a file named Wildlife.wmv will be encrypted to a file named V2lsZGxpZmUud212.ENCRYPTED_BY_LLTPp.

While encrypting files, it will skip any files located in the following folders:
ransom5

The ransomware will also create a folder called %Temp%\lltprwx86\ and extract into it a file called encp.exe, which is a renamed copy of Rar.exe. It will then create a subfolder called vault and make a copy of all the files encrypted with a .ENCRYPTED_BY_LLTPp extension. When finished, it will use the encp.exe to create a password protected RAR archive of the vault folder. The password for this archive will be the same 32 character passwords used to encrypt the files. The reason for creating this archive is currently unknown.

The command used to create the password protected archive is:
ransom6When the encryption process is done, LLTP will delete the shadow volume copies on the computer to prevent a victim from recovering files. It does this by issuing the following command:
ransom7It will also extract a file called RansomNote.exe and store it on the desktop.  It will then create an autostart so that this program run automatically when a user logs into Windows. When executed, this program will display a Spanish ransom note to the victim as shown below.

lltp ransom note                                                                                  Spanish Ransom Note

It will also extract a text ransom note on the desktop called LEAME.txt.

text ransom note                                                                             Leame.txt Ransom Note

Finally the ransom will download a jpg file from http://i.imgur.com/VdREVyH.jpg and use it as the desktop background.

background                                                                                    LLTP Background

Both of these ransom note and the desktop background demand a ransom payment of .2 BTC, or approximately $200 USD. It is instructed that this payment should be sent to the bitcoin address 19fhNi9L2aYXTaTFWueRhJYGsGDaN6WGcP and then the victim should contact the author at This email address is being protected from spambots. You need JavaScript enabled to view it. with their personal ID and the payment transaction. At this time there have been no payments made to the listed bitcoin address.

As previously said, unfortunately at this time the LLTP Ransomware does not look like it can be decrypted.

IOCS:
Files associated with the LLTP Ransomware:
ransom8
Registry entries associated with the LLTP Ransomware:

ransom9Hashes:
ransom10

Network Communication

ransom11

 

LLTP Lock Screen Ransom Note Text:
ransom12

LEAME.txt Ransom Note Text:
ransom13

News Courtesy : https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/