Ransomware MindLost does not know what is Bitcoin, so steals credit card data

You have to admit that the ransomware MindLost pretty good attempts to activate the passage through this whole process of paying ransom to recover the data, but on some aspects of cyber criminals still need a little work. The first malicious software analysis suggest that it is the only developmental version of the virus. But let me explain everything from the beginning.

Paying ransom in Bitcoin payments online provides the intruder using a pretty high anonymity. It is so large that not to trace the owner of the BTC wallet this task very difficult. Bitcoin unlike Monero has a defect, you can trace the history of deposits and withdrawals from the account of the owner of the wallet.

Guarantee of anonymity is for cyber criminals like lep flies, something for a very long time. With a large majority of cases, encrypt files related to the need to install the browser and visit the page, on which there was a further statement. Later abandoned this idea. "How to" they were left in the file TXT/HTML on a local drive with the wallet number to transfer. The criminals leave on each other about, usually it was the mail, but the contact wanted more victims. Later you are automating this process by binding the identification number of the infected system with a portfolio of BTC.

Fitted with the kryptowalutami and kantorami Exchange made some people a significant difficulty, so soon we can see a new attack technique associated with the ransomware. Namely ransomware will get details of the payment card, which is like the first version of ransomware MindLost.

Ransomware MindLost

MindLost once you encrypt files redirects the user to a Web page (on the Internet, not Tor) in order to pay the ransom. It is not known whether the sample is found only in development or testing phase (and everything on it), but the use of ransomware'u and phishing in one attack this idea quite good enough. The only thing missing is a well crafted website payments, which should be secured with SSL. This trick will surely uśpiłaby the vigilance of many a user.

Ransomware MindLost encrypts the very small amount of file types, limited to extensions:

. (c)
.jpg,
.MP3
.MP4
.PDF
.PNG
. py
. txt

Search files is carried out only in the directories:

Windows
Program Files
Program Files (x 86)

Subjected to a reverse-engineering the ransomware MindLost has revealed to us that this filter is not yet activated, and ransomware encrypts files only in the location " C:\Users" .

Encrypted files are given a new extension " .enc ", which means, for example, that ".docx file" after you encrypt will have the form " plik.docx.enc ".

If the encryption process is completed, this ransomware MindLost gets a wallpaper with the ever active URL:

hxxp://image.ibb.co/kO6xZ6/insane_uriel_by_urielstock_4.jpg

Tapeta ransomware MindLost

In addition, ransomware MindLost is sutured in the system registry, by adding to the startup of the operating system:

HKU\Administrator\Software\Microsoft\Windows\CurrentVersion\Run

In the last stage of ransomware MindLost displays the Web page " http://mindlost.azurewebsites[.] net ", on which the victim "invited" to enter data from a credit card to pay ransom for decrypting files.

Strona z okupem ransomware MindLost

The strange thing is that MindLost does not request payment in payments online. Instead, a cyber-substitutes a fake page with online payments. How easy to figure the victim does not pass the money to the account cheater/pole. So nothing really happens until the offender not flush bank account offerings — the transfer of confidential data to the card.

Ransomware MindLost in development version

It's hard to believe that even in a strange MindLost ransomware trial version. Not only does not encrypt the most known file types, and does not do so in the area of the entire hard drive, but the file binary malware contains a strange names in your code. One of these strings is a potential virus author — "Hi Daniel Ohayon", although it is still not yet. In addition, code ransomware has zahardkodowane the authentication data to the remote database to the victims!

According to researchers from the MalwareHunter all four samples available on VirusTotal are the same. So we can assume that the ransomware MindLost as long as it is still in the test phase, but soon we may be witnessing its full capabilities.

We adhere to the Readers, to caution when performing operations by credit card. It is true that this is a very safe way to pay online, but the devil is not sleeping. Watch out for phishing and ransomware!



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.