New Android Ransomware that Encrypts SD Card Files
Cybercriminals have been targeting computers with ransomware for years, and attackers have recently started increasing the amount of ransomware. Recent ransomware malware campaigns will encrypt a users computer along with their documents and hold the computer ransom for a large sum of money. The computer will remain encrypted and in ransom state till the fee is paid, or the user removes the malware.
Ransomware developers have even started to move their operation targeting mobile devices, in particular Android devices. Just last month researchers uncovered a police ransomware scam that locked Android devices, luckily when the ransom was paid, the user would gain access to the key to unlock the phone. A loophole was found in the malware, while the ransomware only locked the mobile screen, it allowed users to be able to recover data stored on the device and SD card.
To avoid the simple bypass, ransomware developers have adopted encryption and have begun implementation. Recently, security firm ESET has identified a piece of malware, naming it, Android/Simplocker.A, noting it has the ability to encrypt the files on the device SD card, and demand the user pay the ransom for the victims to decrypt their files.
Once installed, the malware scans the phones SD card for certain file types with common extensions that image, document, or video files use – jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4, and will encrypt them using AES in a separate thread in the background. After the malware encrypts the files, the user is displayed with the following message, written in Russian, meaning that the malware is probably targeting Russian Android users.
“WARNING your phone is locked!
The device is locked for viewing and distributing child pornography , zoophilia and other perversions.
To unlock you need to pay 260 UAH.
1.) Locate the nearest payment kiosk.
2.) Select MoneXy
3.) Enter {REDACTED}.
4.) Make deposit of 260 Hryvnia, and then press pay. Do not forget to take a receipt!
After payment your device will be unlocked within 24 hours. In case of no PAYMENT YOU WILL LOSE ALL DATA ON your device!”
The ransomware malware is forcing the victim to pay the ransom amount of 260UAH, which is roughly equivalent to $21. The malware requires you pay through the service named MoneyXy, as they payment is not as easily traceable as an average credit card.
For the developer to remain anonymous, the author is using a Command-and-Control (C&C) server hosted on a TOR .onion domain, the malware also sends infected devices information such as the IMEI number to its server. Researchers at ESET are still analyzing the malware. In a post the company wrote:
Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress – for example, the implementation of the encryption doesn’t come close to ‘the infamous Cryptolocker’ on Windows.
ESET security researchers have found that the malware has the capability to encrypt the victim’s files, which could lead to files and data begin lost if the decryption key is not received by paying the ransom amount. Researchers are strongly advising against paying the fine, as there is no guarantee the hacker will provide a decryption key once the ransom is paid.
Mobile antivirus products are only capable of detecting known threats and does not have the capability to detect new and emerging threats. It is always important to keep a backup of all phone data and important documents. Services can be used for automated backups of data are Dropbox, Google drive, Spideroak, etc, this can help keep files accessible in the cloud.