Skip to main content

Hitachi

Hitachi Incident Response Team

Hitachi Incident Response Team

HIRT-PUB17004 : Ransomware

- Virtual experience demonstration (3)-

Last Update: October 10, 2017

Ransomware is a generic term that refers to malicious programs that lock targeted PCs and/or hold files hostage. While the term "ransomware" might be familiar to some people, it is not widely understood how these programs attack the targeted PCs. HIRT-PUB17004 addresses an incident of ransomware which was brought to attention in late 2016.

1. Diffusion of Ransomware

In late 2016, an incident involving an email that alerted the user of a malware infection and prompted them to download a virus removal tool was reported. The download file included an apt name such as "malware (VAWTRAK) removal_tool.zip" or "VIRUS REMOVAL TOOL.zip". The file was in fact ransomware.

1.1 MISCHA

MISCHA is ransomware that was discovered in May 2016. In late October 2016, MISCHA was distributed via emails with titles such as "[Important] Joint project with Ministry of Internal Affairs and Communications: A warning to users of computers infected by malware related to internet banking, and information regarding the distribution of removal tools".

1.2 STAMPADO

STAMPADO is ransomware that was discovered in July 2016. In early November 2016, STAMPADO was distributed via emails with titles such as "[Important] Joint project with Ministry of Internal Affairs and Communications: A warning to users of computers infected with computer viruses, and information regarding the distribution of removal tools".

2. Virtual Experience Demonstrations

Virtual experience demonstrations are Adobe Flash movies for which you can use buttons to start, pause, or restart the demonstration. These demonstrations show the ransomware process without, of course, triggering any virus infection.

2.1 MISCHA

This virtual experience demonstration shows a scenario in which you extract and then run a removal tool from the Malware(VAWTRAK)Removal Tool.zip file downloaded from the site specified in the received email. MISCHA begins to run, and then displays a dialog box asking you to allow changes to be made to the computer. If you enter the administrator password and select Yes (allow changes), MISCHA begins to encrypt the hard disk, resulting in the OS being disabled. If you do not allow changes, MISCHA begins to encrypt files one by one and delivers a ransom note.

2.2 STAMPADO

This virtual experience demonstration shows a scenario in which you extract and then run a removal tool from the VIRUS REMOVAL TOOL.zip file downloaded from the site specified in the received email. STAMPADO begins to run, encrypts files, and then displays a warning dialog box. This dialog box informs the user that there is a time limit of 4 days (96 hours) to recover the encrypted files, during which a file will be deleted every 6 hours. If the time limit expires, the warning dialog box disappears, rendering the encrypted files unrecoverable.


Download Adobe Flash Player
To view Flash files, Adobe Flash Player from Adobe Systems Incorporated is required.

Virtual experience demonstrations are part of the Ministry of Internal Affairs and Communications demonstration project that strives to provide analysis of cyber attacks, defense models, and practical training.

3. References


3.1 Malware sample

MISCHA
SHA256:1b5c6395c313ce4f5e0c204c97cb2b8e38549174f48fc456fe88300fcba76f12
MD5:deabf1507ac66ef7a5588cfe56248888

STAMPADO
SHA256:633f8ce9e635fcb82d1fdd9f225c832607d0b68fbdb5fc1bf3f11b05c7499be8
MD5:0cb4b46085e6ec2ef5194f99021d3af7


3.2 Related Information

4. Update history

October 10, 2017
  • Add malware sample information to References.
April 24, 2017
  • This webpage was created and published.

Masato Terada (HIRT), Naoko Asai (HIRT) and Naoko Ohnishi (HIRT)