Security researchers have discovered a new ransomware that encrypts victim files and redirects victims to an online page. Most particularly, it requires that victims pay ransom payments via credit or debit card.
Ransomware is not currently actively distributed and seems to be under development. Security researcher MalwareHunter found the first samples on January 15.
Ransomware identifies itself as MindLost, but Microsoft detects it as Paggalangrypt. It targets a small number of files (such as c, jpg, mp3, mp4, pdf, png, py, and txt) that use specific extensions that will scan all the files stored on the device except the three folders: Windows, Program Files and Program Files (x86).
The biggest clue that MindLost is still developing is that it consumes a lot of time for scanning files, but ends up encrypting only the files in the “C: \ Users” folder.
All encrypted files will be appended with a new .enc extension, such as a file named image.png that, when encrypted, will be renamed image.png.enc.
Once encryption is complete, MindLost downloads a remote image from the remote server containing the instructions for recovering the file and sets it up as the computer’s new desktop wallpaper.
For persistence, MindLost also sets a registry key to ensure that its executable can be run each time the computer restarts.
The information in the picture shows that the victim needs to visit a designated web page to purchase the decryptor for recovering the file.
The incredible thing is that MindLost does not require payment through Bitcoin, but instead requires the victim to use a credit or debit card. However, this will inevitably cause MindLost’s operations team to abandon its anonymity.
Researchers think one of the reasons why they do this may be to convince victims to enter the details of payment cards on their Web site and sell them to other hackers. Another reason may be that the payment module is not yet complete, but templates copied from elsewhere are likely to be replaced in future releases.
In addition, the researchers said there are a number of errors in MindLost’s encoding. For example, a person’s name (Hi Daniel Ohayon!) Is included in the binary file path. Although this may be a false reminder aimed at letting investigators go the wrong way, it is not the only error that exists.
According to MalwareHunter, there are currently only four MindLost samples detected on VirusTotal, and all seem to be in development. However, if it enters active distribution, the victim should carefully consider the details of the payment card before entering it. Because the victim may suffer second damage because of payment card details leaked.
Source: bleepingcomputer
