Overview:

A new ransomware named as BlackShades Crypter Ransomware was found by a security researcher Jack which encrypts your entire hard drive data and demands a ransom amount of $30 that has to be paid in bitcoins or Paypal. This very ransomware attacks both English and Russian speaking users and affix the .silent extension to all the encrypted files. Uncommonly, BlackShades Crypter Ransomware contains strings in the executable which includes provoking and teasing messages to security researchers who might be examining the ransomware.

BlackShades Crypter Ransomware

BlackShades Crypter Ransomware Teases Security Researchers

When examining the SilentShades ransomware there are numerous puzzled strings in the source code which seems to be provoking security researchers who are determining it. Few of those strings are plainly base64 encoded, however 2 others use basic string manipulation which is comfortably decoded.

The puzzled strings which were discover are presented below:

puzzled strings

The above strings deciphered to: YoxcnnotcrackthisAlgorithmynare>idiot<

puzzled Russian String

The above one is deciphers to the Russian String: вы не можете взломать меня я очень жесткий
In English (Google Translated ) : you can not hack me, I am very hard

teases

Text5 deciphers to: Hacked by Russian Hackers in Moscow Tverskaya Street
Text6 deciphers to: youaresofartocrackMe

Source: http://www.bleepingcomputer.com/news/security/black-shades-ransomware-encrypts-your-pc-and-taunts-security-researchers/

Encryption Procedure Of BlackShades Crypter Ransomware

It is presently not known how the BlackShades Crypter Ransomware or SilentShades is being spread, however going by the strings YouTube enclosed in the executable, cyber experts believes it may be distributed via fake videos, broken or malicious links, spam email attachments and fake patches.

Once executed, BlackShades Crypter Ransomware will delete the Shadow Volume Copies on your PC utilizing this command:

Command

It will then clinch the targeted user’s IP address by visiting the website http://icanhazip.com and to Google.com to check if there is an Internet connection or not. If it can’t connect to icanhazip.com it will crash and shows the below mentioned error. It suggests that you can change your host files and mark icanhazip.com to 127.0.0.1 to stop BlackShades Crypter Ransomware from encrypting your data from system.

cant connect and crash error

Image Credits : Bleeping Computer

This malware will then create a unique ID for the victimized computer and test to look if it can connect to Google. If BlackShades Crypter Ransomware is capable to connect, then it will upload it along with the system name, time period for execution , username, keys, the number 0 to perform as a placeholder for the number of files being encrypted, and a attributing string to the Command and the Control server. This attributing string is presently set to Youtube.

As soon as SilentShades starts encrypting the compromised PC, BlackShades Ransomware will only encrypt the specific folders on the C: drive by using AES-256 encryption method and also drop a file in each of the folder named as YourID.txt, that includes an unique victim ID. When this ransomware decides to encrypt the Desktop it will drop the Ваш идентификатор file also, that includes the victim ID too.

Dropped Russian File

On the rest of the drives, BlackShades Crypter Ransomware will encrypt each folder and files that it scans. While encrypting files it will attach the .silent extension to encrypted files. For example, image.jpg will evolve into image.jpg.silent. Here’s is the list of files which SilentShades ransomware will encrypt.

BlackShades Crypter Ransomware Encrypted File
After finishing the encryption process BlackShades Crypter Ransomware will compose the Hacked_Read_me_to_decrypt_files.Html ransom note on your Windows Desktop and also copy it into the targeted systems startup folder in oder to display the ransom note each time the user login into the system.

No le dé a la credulidad, la prisa y la distracción, porque este último se van a arrepentir. Si usted paga, usted corre el riesgo de sus datos privados y confidenciales, tales como credenciales bancarias, contraseñas, IDs de correos electrónicos y otros aparatos hasta el acceso de extranjeros. ¿Cree que va a terminar bien para usted? Apenas. Por lo tanto, usted no paga! Cabe señalar que no hay manera eficaz de eliminar BlackShades Crypter Ransomware mediante el uso de una herramienta importante de terceros.

This ransom note includes guidelines on how to connect to the correlated payment website, which is illustrated below.

html Ransom Note by BlackShades Crypter Ransomware

Image Credits : Bleeping Computer

As soon as the entire process is concluded, BlackShades Crypter Ransomware will attempt to wipe out itself leaving the ransom note on the PC.

The BlackShades Crypter Ransomware Website

The SilentShades Ransom note includes a link to the payment site where the victimized user can give the ransom amount. This website is named as the Black Shades File Decrypter and gives victim the option to make the payment in bitcoins or accepting Paypal.

BlackShades Crypter Ransomware Website

Image Courtesy : Bleeping Computer

Files Correlated with the SilentShades Ransomware:

Files Correlated with the SilentShades Ransomware

Registry Entries related with the BlackShades Crypter Ransomware:

Registry Entries of BlackShades Crypter Ransomware

Reference: https://threatpost.com/blackshades-ransomware-targets-us-russians-teases-researchers/118473/

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>