14 DAY TRIAL // Smrss32 is the latest ransomware variant to appear, spotted in the wild this week and named after the file through which it infects users, smrss32.exe.
If you have read enough about ransomware, all variants have a quirk that sets them apart. In the case of Smrss32, the feature that got everyone's attention - and got it quickly - was the fact it was using a list of 6,674 file extensions to decide what files to lock on the user's computer.
Usually, ransomware targets between 50 and 500 file types, depending on each crook's preferences.
Coded by inexperienced malware author
This huge list got the attention of @MalwareHunterTeam, who told Softpedia that the Smrss32 coder would have had it "a lot easier to whitelist what not to encrypt than using this approach."
Furthermore, the person who wrote the ransomware is obviously a lesser skilled coder. Most file extensions were duplicated in his list of targeted file types, such as ".PNG and ".png."
This is obviously a sign that the crook didn't know about case insensitive comparing, a coding technique that would have spared him a lot of time and effort in compiling the list.
But the crook is not that stupid because he took precautions not ruin Windows core files. If the directory name contains the terms AppData, Application Data, Boot, Games, Program Files, Program Files (x86), Program Data, Sample Music, Sample Pictures, System Volume Information, Temp, Windows, cache, thumbs.db, tmp, or winnt, the ransomware will not lock any files inside them.
Infection most likely occurs via unsecured RDP connections
As for the infection routine, MalwareHunterTeam and the other security researchers that analyzed the ransomware suspect that the attackers are hacking victims via unsecured RDP connections and installing the ransomware manually.
Other ransomware families that rely on this same attack vector include Bucbi, Apocalypse, and the latest Shade (Troldesh) version.
After being launched into execution, Smrss32 will use an AES symmetric encryption algorithm to lock files, appending the .encrypted extension to all affected files.
The ransomware will store its ransom note wallpaper in the C:/ProgramData/Wallpaper directory and then place a copy of the ransom note (image) in every drive root and on the user's Desktop. After finishing its encryption process, it deletes the folder it was installed from.
At least 15 people have paid the ransom so far
The ransom note is asking victims for 1 Bitcoin (~$590) to unlock their files. All victims must contact the crook via an email listed in the ransom note that is included in the ransom note.
According to the crook's Bitcoin wallet statistics, at least 15 people have been infected and paid the ransom to recover their files.
The good news is that security researcher Michael Gillespie, one of the first researchers to spot Smrss32, is already working on a decrypter.
"Among the large wall of text, it does try to call itself 'CryptoWall Software,' but it is in no way nearly as sophisticated as the real thing," Gillespie noted. "I do not recommend paying the ransom at this time."
Some researchers are even investigating the possible source of all the RDP hacks, which will most likely lead them back to the crook behind this new threat.
UPDATE [August 20, 2016]: Michael Gillespie has found a way to decrypt this ransomware. Users must upload one of their encrypted files via this forum thread, and the developer will contact each victim personally.
