Skip to Main Content

Hitachi Logo
earth icon
    mail icon Contact Us
    Hitachi Global
    Hitachi Global

    HIRT-PUB17004 : Ransomware

    - Virtual experience demonstration (3)-

    Last Update: October 10, 2017

      Japanese

      Ransomware is a generic term that refers to malicious programs that lock targeted PCs and/or hold files hostage. While the term "ransomware" might be familiar to some people, it is not widely understood how these programs attack the targeted PCs. HIRT-PUB17004 addresses an incident of ransomware which was brought to attention in late 2016.

      1. Diffusion of Ransomware

      In late 2016, an incident involving an email that alerted the user of a malware infection and prompted them to download a virus removal tool was reported. The download file included an apt name such as "malware (VAWTRAK) removal_tool.zip" or "VIRUS REMOVAL TOOL.zip". The file was in fact ransomware.

       

      Trend Micro
      Ransomware Diffusion in Japanese Email, Coercively Titled "Warning to users infected with malware" [Japanese] (November 10, 2016)
      http://blog.trendmicro.co.jp/archives/14009

       

      Trend Micro
      Analysis of Numerous Cases of Coercively-Disguised Japanese Emails and Ransomware Diffusion since October 2016 [Japanese] (November 21, 2016)
      http://blog.trendmicro.co.jp/archives/14066

      1.1 MISCHA

      MISCHA is ransomware that was discovered in May 2016. In late October 2016, MISCHA was distributed via emails with titles such as "[Important] Joint project with Ministry of Internal Affairs and Communications: A warning to users of computers infected by malware related to internet banking, and information regarding the distribution of removal tools".

       

      Ministry of Internal Affairs and Communications
      Please be careful of malicious emails related to warnings of malware infections and the distribution of removal tools. [Japanese] (October 31, 2016)
      http://www.soumu.go.jp/menu_kyotsuu/important/kinkyu02_000251.html

       

      Trend Micro
      RANSOM_MISCHA.E
      http://about-threats.trendmicro.com/malware.aspx?language=en&name=RANSOM_MISCHA.E

      1.2 STAMPADO

      STAMPADO is ransomware that was discovered in July 2016. In early November 2016, STAMPADO was distributed via emails with titles such as "[Important] Joint project with Ministry of Internal Affairs and Communications: A warning to users of computers infected with computer viruses, and information regarding the distribution of removal tools".

       

      Ministry of Internal Affairs and Communications
      Please be careful of emails related to warnings of computer virus infections and the distribution of removal tools. [Japanese] (November 14, 2016)
      http://www.soumu.go.jp/menu_kyotsuu/important/kinkyu02_000252.html

       

      Trend Micro
      RANSOM_STAMPADO.A
      http://about-threats.trendmicro.com/malware.aspx?language=jp&name=RANSOM_STAMPADO.A

      2. Virtual Experience Demonstrations

      Virtual experience demonstrations are Animation GIFs (transformed from Adobe Flash movies) for which you can use buttons to start, pause, or restart the demonstration. These demonstrations show the ransomware process without, of course, triggering any virus infection.

      2.1 MISCHA

      This virtual experience demonstration shows a scenario in which you extract and then run a removal tool from the Malware(VAWTRAK)Removal Tool.zip file downloaded from the site specified in the received email. MISCHA begins to run, and then displays a dialog box asking you to allow changes to be made to the computer. If you enter the administrator password and select Yes (allow changes), MISCHA begins to encrypt the hard disk, resulting in the OS being disabled. If you do not allow changes, MISCHA begins to encrypt files one by one and delivers a ransom note.

      HIRT-PUB17004:Virtual experience demonstration: Ransomware MISCHA

      2.2 STAMPADO

      This virtual experience demonstration shows a scenario in which you extract and then run a removal tool from the VIRUS REMOVAL TOOL.zip file downloaded from the site specified in the received email. STAMPADO begins to run, encrypts files, and then displays a warning dialog box. This dialog box informs the user that there is a time limit of 4 days (96 hours) to recover the encrypted files, during which a file will be deleted every 6 hours. If the time limit expires, the warning dialog box disappears, rendering the encrypted files unrecoverable.

      HIRT-PUB17004:Virtual experience demonstration: Ransomware STAMPADO

      Virtual experience demonstrations are part of the Ministry of Internal Affairs and Communications demonstration project that strives to provide analysis of cyber attacks, defense models, and practical training.

      3. References

      3.1 Malware sample

      MISCHA
      SHA256:1b5c6395c313ce4f5e0c204c97cb2b8e38549174f48fc456fe88300fcba76f12

      MD5:deabf1507ac66ef7a5588cfe56248888

       

      STAMPADO
      SHA256:633f8ce9e635fcb82d1fdd9f225c832607d0b68fbdb5fc1bf3f11b05c7499be8

      MD5:0cb4b46085e6ec2ef5194f99021d3af7

      3.2 Related Information

        Virtual Experience Demonstration (1): HIRT-PUB09002: A Malicious Email Containing a Call for Papers (CFP) of CSS2008
        https://www.hitachi.com/ja-jp/hirt/publications/hirt-pub09002/

        Virtual Experience Demonstration (2): HIRT-PUB09003: The Auto-Play and Auto-Run Features of USB Memory Devices
        https://www.hitachi.com/ja-jp/hirt/publications/hirt-pub09003/

        HIRT-PUB16001: Ransomware
        https://www.hitachi.com/en/hirt/publications/hirt-pub16001/

        4. Update history

        October 23, 2020

        • Transformed from Adobe Flash movies to Animation GIFs.

        October 10, 2017

        • Add malware sample information to References.

        April 24, 2017

        • This webpage was created and published.

        Masato Terada (HIRT), Naoko Asai (HIRT) and Naoko Ohnishi (HIRT)