2013-09-12 - Evolution
Revoyem goes international - shocking distribution....
The dirty Revoyem (aka DirtyDecrypt) ransomware seems to have appeared at the end of March 2013 and was targeting Germany and Great Britain only. It looks like they are now going international and are really aggressive in the way they distribute it.
I already mentioned the "double kick the victim" way of distribution of some Ransomware. I saw that in action again today. From a Porn website, you are redirected by a TrafficHolder malvert to a Child Porn themed page (impact 1 : images are highly disturbing here) from which you get infected via Styx which drop you a Ransomware locking your computer displaying disturbing images and telling you just viewed illegal content (impact 2 - amplified cause it's true...you just viewed illegal content even if you've been driven there against your will).
 |
| 1: Bring the victim to illegal content. 2 : Infect and lock the victim for seeing illegal content |
Sample : 4382872727fc8c0996fa315c599ecdf0 (in the zip at the end or in malwr.com analysis)
C&C : 95.211.109.206 korrambatu .biz
16265 | 95.211.0.0/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.
C&C : 95.211.109.206 korrambatu .biz
16265 | 95.211.0.0/16 | LEASEWEB | NL | LEASEWEB.COM | LEASEWEB B.V.
Nothing really new here but I think it's better to know which countries are targeted.
I made a gathering session and here is the list I saw :
AT, BE, CA, CZ, DE, DK, ES, FR, GB, IT, NL, PL, SE, TR, US
Note : there are quite surely more.
I will only display the US version and banner for countries but blurred full design are available in the zip in case one may want to use for awareness raising purpose.
 |
| Revoyem US 2013-09-12 |
AT :
 |
| Revoyem AT Banner 2013-09-12 |
BE :
 |
| Revoyem BE Banner 2013-09-12 |
CA :
 |
| Revoyem CA Banner 2013-09-12 |
CZ :
 |
| Revoyem CZ Banner 2013-09-12 |
DE :
 |
| Revoyem DE Banner 2013-09-12 |
DK :
 |
| Revoyem DK Banner 2013-09-12 |
ES :
 |
| Revoyem ES Banner 2013-09-12 |
FR :
 |
| Revoyem FR Banner 2013-09-12 |
GB :
 |
| Revoyem GB Banner 2013-09-12 |
IT :
 |
| Revoyem IT Banner 2013-09-12 |
NL :
 |
| Revoyem NL Banner 2013-09-12 |
PL :
 |
| Revoyem PL Banner 2013-09-12 |
SE :
 |
| Revoyem SE Banner 2013-09-12 |
TR :
 |
| Revoyem TR Banner 2013-09-12 |
<edit1:>
More campaigns described by Malekal here : http://www.malekal.com/2013/08/08/dirdecrypt-malvertising-trafficholder/
Some other domains likely involved in the C&C part via Dhia Mahjoub </edit1>
Kernel Mode thread <- Detailed analysis here (thx @Horgh_Rce for the ping)
More campaigns described by Malekal here : http://www.malekal.com/2013/08/08/dirdecrypt-malvertising-trafficholder/
Some other domains likely involved in the C&C part via Dhia Mahjoub </edit1>
Kernel Mode thread <- Detailed analysis here (thx @Horgh_Rce for the ping)
Files : In the zip : Full blurred designed - Sample - Fiddler : Here (owncloud via goo.gl) Removed.
Post Publication Reading:
Ransomware shocks its victims by displaying child pornography pictures - 2013-11-21 Jaromir Horejsi - Avast
Ransomware shocks its victims by displaying child pornography pictures - 2013-11-21 Jaromir Horejsi - Avast