Barack Obama’s Blackmail Virus Ransomware Only Encrypts .EXE Files

cyber

Every once in a while you come across a really strange malware and such is the case with a new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a “tip” to decrypt the files.

Barack Obama's Everlasting Blue Blackmail Virus Ransomware
Barack Obama’s Everlasting Blue Blackmail Virus Ransomware

First tweeted by MalwareHunterTeam, this ransomware has the bizarre title of “Barack Obama’s Everlasting Blue Blackmail Virus” as shown by the file properties below.

File Properties
File Properties

When executed, this ransomware will terminate various processes associated with antivirus software such as Kaspersky, McAfee, and Rising Antivirus . The commands executed to kill the processes are:

taskkill /f /im kavsvc.exe
taskkill /f /im KVXP.kxp
taskkill /f /im Rav.exe
taskkill /f /im Ravmon.exe
taskkill /f /im Mcshield.exe
taskkill /f /im VsTskMgr.exe

It will then scan the computer for .exe files and encrypt them. When encrypting files, it will target all .EXE files, even those that are located under the Windows folder. Other ransomware in the past that encrypted executables typically avoid the Windows folder so that it does not cause problems with the proper execution of the operating system.

Encrypted Executables
Encrypted Executables

As part of the encryption process, this ransomware will also modify the Registry keys associated with .exe files so that they use a new icon and run the virus every time someone launches an executable. The modified keys are listed below.

HKLM\SOFTWARE\Classes\exe
HKLM\SOFTWARE\Classes\exe\	
HKLM\SOFTWARE\Classes\exe\EditFlags	2
HKLM\SOFTWARE\Classes\exe\DefaultIcon
HKLM\SOFTWARE\Classes\exe\DefaultIcon\	C:\Users\User\codexgigas_.exe,0
HKLM\SOFTWARE\Classes\exe\Shell
HKLM\SOFTWARE\Classes\exe\Shell\Open
HKLM\SOFTWARE\Classes\exe\Shell\Open\Command
HKLM\SOFTWARE\Classes\exe\Shell\Open\Command\	"C:\Users\User\codexgigas_.exe" "%1"

The message in the ransomware interface states that users should contact the attacker at the 2200287831@qq.com for payment instructions.

Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.
So you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information.

It is unknown how this ransomware is distributed or if the developer will even provide a decryption key if paid.

Obama is not the only President to have had a ransomware created after him. Prior to the 2016 United Stated presidential election, the The Donald Trump Ransomware was released.

The Trump Ransomwae was a development version that had built-in decryption.

 

To read the original article:

https://www.bleepingcomputer.com/news/security/barack-obamas-blackmail-virus-ransomware-only-encrypts-exe-files/

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Next Post

Wireshark fixed three flaws that can crash it via malicious packet trace files

The Wireshark team has addressed three serious vulnerabilities that could be exploited by a remote unauthenticated attacker to crash the analyzer. The Wireshark development team has fixed three serious flaws that could be exploited by a remote unauthenticated attacker to trigger a DoS condition in the world’s most popular network […]