Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Unlock26 Ransomware and RaaS Portal Discovered

A recently discovered Ransomware-as-a-Service (RaaS) portal was found to be responsible for the distribution of a brand new ransomware family dubbed Unlock26.

A recently discovered Ransomware-as-a-Service (RaaS) portal was found to be responsible for the distribution of a brand new ransomware family dubbed Unlock26.

Dubbed Dot-Ransomware, the RaaS portal went live on February 19, and security researchers suggest that the Unlock26 ransomware was released the same day. Further, they reveal that the ransomware operation features a very minimal and direct style, with few instructions and simple ransom notes and payment portal.

Wannabe criminals registering for the service get to download two files, one being a benign ransomware payload dubbed core.exe, while the other being an archive containing the builder and usage instructions called builder.zip.

The builder, BleepingComputer reports, is a minimal command-line interface through which affiliates can customize the ransom amount (can even set special decryption prices per country), the targeted file types, the type of encryption (full or first 4MB of each file), and the Bitcoin address where the payment should be sent.

To apply the custom settings to the ransomware, affiliates only need to load the core.exe file in the builder, which will also generate a fully weaponized binary, ready for distribution. From this point onward, it’s up to each affiliate to distribute the malicious file using whatever means necessary.

Dubbed Unlock26, the newly-generated ransomware appends a .locked-[XXX] extension to the encrypted files, where XXX appear to be three random alpha-numeric characters unique for each victim. Once the encryption process has been completed, the malware displays a ransom note that instructs victims to access one of four Tor-to-Web proxy URLs.

A signature hidden in the links displayed by the ransom note allows cybercriminals to distinguish between infected hosts, researchers say. However, this also means that victims have to click on the links, and that typing the visible URLs manually in a browser won’t offer access to the payment portal, because the site checks for the presence of those signatures.

The signatures are believed to have been included so that each user would be pointed to a unique Bitcoin address when accessing the portal. The payment site, however, doesn’t provide clear instructions on what victims should do, most probably because the malware authors expect victims to have knowledge of what being infected with ransomware involves.

Advertisement. Scroll to continue reading.

On the other hand, both the ransom note and the payment site also fail to inform the victims on the amount they have to pay. On the payment site, a math function is listed instead: 6.e-002 BTC. Because of all these and because the builder features an error, researchers suggest that both the ransomware and the RaaS operation are under development, not yet ready to be deployed.

Related: Satan RaaS Promises Large Gains With Zero Coding Needed

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.