In this blog post, we’ll analyse Spartacus, one of many new ransomware families popping up in 2018.
This instance of Spartacus ransomware has the following properties:
Compilation timestamp: 2018-01-19 20:36:44
|Figure 1 - Spartacus ransomware message|
The message reads:
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us the e-mail:
[email protected] and send personal ID KEY:
In case of no answer in 24 hours us to theese e-mail: [email protected]
The victim may send up to 5 files for free decryption, as “guarantee”. There’s also a warning message at the end of the ransomware screen:
Do not rename encrypted files.
Do not try decrypt your data using party software, it may cause permanent data loss.
Decryption of your files with the help of thrid parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Spartacus will encrypt files, regardless of extension, in the following folders:
|Figure 2 - Target folders to encrypt|
Generating the key:
|Figure 3 - KeyGenerator|
As far as I’m aware, Spartacus is the first ransomware who explicitly asks you to send the public key (ID KEY), rather than just sending an email, including the Bitcoin address straight away, or sending the key automatically.
Encrypted files will get the extension appended as follows:
It will also drop the ransomware note, “READ ME.txt” in several locations, such as the user’s Desktop:
All your data has been locked us. You want to return? Write email [email protected] or [email protected] Your personal ID KEY: DvQ9/mvfT3I7U847uKcI0QU3QLd+huv5NOYT2YhfiySde0vhmkzyTtRPlcu73BAJILIPdALjAIy5NLxBHckfyV2XS+GXdjlHMx2V/VEfj4BrZkLB3BQtEdAqS1d2yzb/2+AqTNjsRfZ99ZWVxUZO3AeEZk5h0+3hNM5GogUN2oV5zHkbMZuDaXZxQr56r8UKnW7gmSycdcJh2ueZMuEP1tAuuzdZYgmZ05x9ZT8FX9HIo03rwsi6UiJlgUTZCkiilZjxYyG+qVE+Gjk4H7dnXbQP1PC3k2WICA9R4TYb9SCdv8U/e5sxbuKAbJgEZ114liwHLasmLvQfKYSbxMlbEg==
Interestingly enough, Spartacus also embeds what appears to be a hardcoded and private RSA key:
Spartacus will delete Shadow Volume Copies by issuing the following command:
cmd.exe /c vssadmin.exe delete shadows /all /quiet
A unique mutex of “Test” will be created in order to not run the ransomware twice.
Decryption may be possible if the ransomware is left running, by extracting the key from memory.
Spartacus is again another ransomware family or variant popping up.
|Figure 4 - Meme|
Make sure to read the dedicated page on ransomware prevention to prevent Spartacus or any other ransomware.