New C# Ransomware Compiles itself at Runtime
A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.
Discovered by MalwareHunterTeam, this ransomware contains an encrypted string that is embedded into the dropper as shown below.
This string is then decrypted using an included decryption key.
Now that the source code for the ransomware executable has been decrypted, the decrypted code is sent to another function that compiles it using the CSharpCodeProvider class and launches it directly into memory.
This method is probably being used to prevent the dropper from being detected by security software as any malicious behavior is hidden inside the encrypted string.
As for the ransomware itself, other than it saving the decryption key and IV to a file on the desktop, it is fully functional. Therefore, it wouldn’t be surprising to see the ransomware being distributed at some point.
When executed, it will encrypt the files on the victim’s computer and rename the files using the template firstname.lastname@example.org_[hex]. For example, a file called 11.jpg would be encrypted and renamed to email@example.com_31312E6A7067 .
In each folder that is scanned, a ransom note named HOW DECRIPT FILES.hta is created, which provides payment instructions.
While this ransomware is still in development, it does use an interesting feature that we have not seen in ransomware before. This goes to show how attackers continue to try and think up new ways to bypass security programs that protect your computer.
Protect Your Endpoints with Ivanti
Ivanti solutions can help protect your endpoints. Ready to take the first step? Reach out today.
We offer custom remote or onsite packages to help get your workload under control:
About Network America
Established in 1991, Network America is a premier professional services organization providing license procurement, design, training, implementation and ongoing support for systems management, security management, asset management, mobility management, and service management solutions to organizations worldwide. Network America is a veteran-owned small business and is a schedule 70 GSA holder. With a longstanding reputation for seasoned deployment engineers and expert information technology business consultants, Network America is the longest operating Ivanti Platinum Partner, having been in the expert solution provider program for over 19 years. Headquartered in Treasure Island, Florida, Network America serves clients throughout the world including United States, Canada, Puerto Rico and Curacao.