It is a well-known fact that hackers can be very creative, not only when writing malicious code, but also when bestowing a name on their creation or connecting it to some sensational subject.
This time, inspired by the outbreak of the Ebola epidemic in Africa, the authors of the ransomware discussed below coded it to change filenames on the infected computer into a string containing the word “Ebola”. Let us take a deeper look at this new malware.
We first encountered the malware in a discussion on VKontakte, a very popular Russian social network. One of the participants uploaded a sample of the virus that infected his computer.
According to his description, he received the malware via an email message that contained a link. Clicking the link initiated the downloading of an .RAR archive that DOES NOT pop-up an AV alert. After unzipping the archive, all the files on the PC (extensions: PDF, DOC, DOCX, XLS, XLSX, JPG, DWG) became encrypted and their names were changed to *email@example.com. The shared folders were also encrypted and access denied. To recover the contents of the PC, the victim had to send an email to the address help[at]antivirusebola.com, and was subsequently instructed to pay 1 Bitcoin (approximately US$380) to a given address.
Further investigation on the Russian-speaking web revealed many other reports of Ebola virus infections. In most of the cases, the malicious link was sent via an email message, allegedly from the tax authorities or traffic police.
According to the Russian security company Dr.Web, the malware, now called “the Ebola Virus,” firstly appeared on August 20. The same ransomware has been distributed since August 7, albeit in a slightly different format – the file names were changed to firstname.lastname@example.org or email@example.com). All three versions are probably variants of the same malware identified by Dr.Web as Trojan.Encoder.741, and coded by a Russian nicknamed Korrektor (presumably the author of other ransomware as well). The malware is written in Delphi language, packed with an Armadillo packer and uses the algorithm AES-128 for encryption.
A closer look at the sample revealed the IP address of the C&C server – 18.104.22.168 – which belongs to a company called KODDOS, registered in Hong Kong (offering Offshore hosting and DDoS protection). The network is generated over HTTP – the infected machine sends out a unique string, probably the UID of the infected machine.
It is important to note that to date, the malware is largely unrecognized by AV vendors. (The detection rate varies for different samples on VirusTotal – the highest is 15/55.)