A new ransomware strain provides victims with a QR code they can scan in order to make a mobile ransom payment.
Sven Carlsen, an expert from security firm Avira, explains in a blog post that the ransomware, dubbed Rokku, is making the rounds via spear-phishing emails – a common method of delivery for crypto-ransomware.
Once downloaded onto a victim’s computer, however, the malware quickly begins to distinguish itself from Locky, Teslacrypt, and other ransomware.
Straight out of the gate, Rokku deletes all of a machine’s shadow copies, thereby preventing the victim from recovering their files via the use of third-party file restoration services.
The ransomware then encrypts the victim’s data using RSA-512 – a strong but not impossible to break crypto algorithm – and adds the .ROKKU extension to each encrypted file.
At that point, the malware displays its ransom message, providing the victim with the option to select their language of choice.
Like most ransomware messages, Rokku’s note instructs the user to visit a Tor website in order to pay the ransom fee. That hidden website has two distinguishing factors.
First, it asks for only 0.24 BTC (US $100.14) -a mere fraction of what other crypto-ransomware samples demand.
Second, the site displays a QR code presumably in an effort to make paying the ransom as simple as possible, as Catalin Cimpanu explains in a Softpedia report:
“Scanning this QR code with your phone would allow you to easily pay the ransom money if you have a Bitcoin wallet app installed on the device. At the time of writing, no payments have been received in the Rokku Bitcoin account, but the ransomware was only spotted for the first time on March 19, so it may not have had time to spread to a large number of victims.”
Rokku was first seen by the VirusTotal service earlier in March. At the time of writing, no anti-virus solutions detect the ransomware executable as malicious.
To make matters worse, there is no way for users to recover their files–that is, unless they ware willing to attempt to break the RSA-512 algorithm.
With that in mind, users should be careful when clicking on suspicious links and email attachments from senders they do not know. It is also highly recommended that users back up their data just in case they are ever exposed to ransomware.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
5 comments on “Trouble paying the ransom? This ransomware provides QR code for mobile payment”
FIrst seen March 19, yet as of April 3 zero products flag it? Wow. I woud have expected that by now, at least 10% of products would flag it.
So here's my questions.
1) Why are people still paying for products that protect against ancient threats but not against today's threats?
2) How are people protecting their systems against this and similar threats? Are we purely relying on people knowing that you shouldn't click on attachments? Because that isn't working.
1. Who would want to be hit but an "ancient" threat? Protection should cover all "periods".
2. Education&updates&backup&backup&backup. At the rate the software is evolving, I doubt that there is an automated solution 100% secure, without any loss/fuss.
His questions were, I believe rhetorical.
Does Dr. Solomon mean anything to you? Hint.
But I'll elaborate:
1. It is hard to fathom that no AV has of yet flagged this as malicious.
2. Many free AVs would cover most old bugs and many bugs only work under environments that many people (perhaps most) don't even have access to these days. More to the point: why pay for CURRENT AV if they don’t protect against CURRENT THREATS ?
3. This is nothing new so 'at the rate' is meaningless (it's always been evolving); there has never been a 100% secure environment. There never will be either. It's a cat-and-mouse game. The fact no AV has yet marked this (the amount of time between discovery and now is far too long for AV products to wait) is relevant.
4. Backups are useless if they aren't tested regularly. I understand your meaning but it is still worth pointing out. It also should be secure backups (many people don't backup but many of those who do don't follow the best practises for backups).
So his points are all valid.
C'mon, at the time of the writing 40 out of 57 AVs detected Rokku: https://www.virustotal.com/ru/file/ef23e33ee7875d2cccc1c8bcc234b9e898e679348adbe84aedc9bf19c1cd7009/analysis/