February 06, 2017
Ransomware infections are problematic enough on their own, even if they aren't the subject of a prank or some condescending programmer trying to "teach" you about the dangers of crypto-ransomware.
Both types, the ones used for practical jokes and the ones used for "educational" purposes, have been seen in the wild in the past few months.
The latest "prank" is a new ransomware strain named YourRansom, discovered today by Forcepoint researcher Roland Dela Paz.
YourRansom coded on top of an open-source ransomware kit
According to Dela Paz, YourRansom was coded on top of an open-source ransomware project of the same name, written in Go and released on GitHub last month by a Chinese developer. This once again shows why open-sourcing ransomware kits are and will remain a big problem.
At the time of writing, there are no clues to suggest that this ransomware is the subject of an en-mass distribution campaign, and its author might have only used it to infect his friends and play a cruel trick on them. But that's just wishful thinking on our part.
The worst case scenario is that this iteration of YourRansom could only be a test version, and we might see a fully-weaponized version in the future.
YourRansom infection routine
According to tests carried out by Bleeping Computer's Lawrence Abrams, the YourRansom sample Dela Paz discovered does not behave like the open-source variant available on GitHub, which means some modifications have been done to its source code.
After launching the customized YourRansom payload, the ransomware will search and encrypt the following file types.
YourRansom skips files in folders that contain the following strings in their name:
YourRansom encrypting files
After the encryption process ends, the ransomware will append the .youransom file extension at the end of encrypted files. This means a file named photo.png would be encrypted and then renamed to photo.png.yourransom. Examples of this can be seen below.
YourRansom encrypted files
After the encryption ends, YourRansom will create the following files in the same location as the ransomware executable.
The YourRansom.key file contains the encryption key. Compared to the GitHub version of the ransomware, a file is missing, and that's YourRansom.dkey, the file that was supposed to contain the decryption key.
YourRansom doesn't save the decryption key anywhere
YourRansom does not initiate any outbound network requests, meaning the decryption key is not sent to an online server.
"At this time, according to the GitHub version, you should be able to run the ransomware again with the -d flag and it should read the decryption key. But it fails," Abrams explains, noting the missing decryption key file.
The README.txt file, which contains the ransom note, alludes that this might be a joke.
YourRansom ransom note
Bleeping Computer has contacted YourRansom's author and has obtained more information about the encryption routine.
"Send me the YourRansom.key file. I'll return you a YourRansom.dkey file. Put it in the directory of YourRansom binary file and rerun it. Your file will be unlocked," the YourRansom author said.
Let's hope this is just an isolated prank spread among friends and not a threat that's being prepared for larger distribution. Users who discover the YourRansom.key file might think it's the "virus-infected file" and delete it. This would spell trouble victims as they would most likely lose their data for good.
At this point, we'd prefer if someone would weaponize and mass distribute ransomware like EduCrypt or Koolova, with which at least you don't risk losing your files.
For example, EduCrypt encrypts files but gives victims a free decryptor to recover data after it chastises users via the ransom note about the dangers of downloading random files off the Internet.
EduCrypt ransom note
A more recent "educational" ransomware is Koolova, which works by activating a decryption button if the user reads two articles about ransomware. Both are better are better jokes when compared to YourRansom.