Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

‘RedEye’ Ransomware Destroys Files, Rewrites MBR

A newly discovered piece of ransomware appears mainly created to destroy the victim’s files instead of encrypting and holding them for ransom.

A newly discovered piece of ransomware appears mainly created to destroy the victim’s files instead of encrypting and holding them for ransom.

Dubbed RedEye, the malware appears to be the creation of the developer behind the Annabelle ransomware, who also claims to have made the JigSaw ransomware that first emerged a couple of years back (Cisco says the individual might be responsible for several other families as well).

The same as Anabelle and JigSaw, RedEye’s destructive nature makes it stand out in the crowd. While the vast majority of ransomware families out there have been created with the purpose of generating revenue for their authors and operators, RedEye would gladly destroy users’ files even if there’s no financial gain in it.

The new threat, Bart Blaze discovered, has a large file size, at 35.0 MB. This is the result of several media files (images and audio files) being embedded in the binary. Among these, there are three .wav files (child.wav, redeye.wav, and suicide.wav) meant to play a creepy sound, intended to scare the victim.

The malware author also used ConfuserEx and compression, along with a few other tricks, to protect the binary. A second binary was also embedded in the file, capable of replacing the MBR (Master Boot Record).

Once it has infected a computer, the ransomware performs a series of actions to make removal a difficult process. The threat disables task manager and also hides the victim machine’s drives.

RedEye then displays a ransom note informing victims that their files have been encrypted using AES256 and that they should access an .onion website and pay 0.1 Bitcoins to a specified address. This would supposedly result in a decryption key being delivered to them.

The victim is required to pay the ransom in 4 days, and the malware claims to be able to “fully destroy” the computer after that period of time is over.

Advertisement. Scroll to continue reading.

Options available in the ransomware include the possibility to view encrypted files and decrypt them, get support, and “destroy PC.”

If the last option is selected, a GIF is displayed in the background, with an option to proceed with the operation (a “Do it” button) and another to close the image. If “Do it” is selected, the same as when the 4-day window is over, the malware reboots the machine and replaces the MBR.

Thus, when the victim powers on the system, they are greeted with a message informing them that “RedEye terminated their computer.” The malware author signed the message with the “iCoreX” handle.

Blaze also notes that, despite claiming to have securely encrypted files with AES256, RedEye appears to actually “overwrite or fill files with 0 bytes,” thus rendering them useless. The malware also appends the .RedEye extension to the affected files.

“While it appears that the RedEye ransomware has even more tricks up its sleeve than its predecessor Annabelle, the same conclusion holds true: do not pay the ransomware. As for the actual purpose of the ransomware: it may be considered a ransomware of the wiper kind, however, it appears the author likes to showcase his or her skill,” Blaze concludes.

Related: Meet MBR-ONI, Bootkit Ransomware Used as a Targeted Wiper

Related: RedBoot Ransomware Modifies Master Boot Record

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.