Vietnamese ransomware wants you to add credit to a mobile phone

Malware Analysis
1


In this quick blog post we’ll have a look at BKRansomware, a Vietnamese ransomware that wants you to top up its phone.


Analysis

This ransomware is named “BKRansomware” based on the file name and debug path. Properties:


BKRansomware will run via command line and displays the following screen:

Figure 1 - Ransom message

The ransomware message is very brief, and displays:

send 50k viettel to 0963210438 to restore your data

Viettel is a form of credit for mobile phones, used in Vietnam and neighboring countries. It is part of “Viettel Group” (Tập đoàn Công nghiệp Viễn thông Quân đội in Vietnamese), a mobile network operator in Vietnam. (Wiki link). 

As such, it appears the creators are in desperate need of more credit so they can make calls again :slight_smile:


It only encrypts a small amount of extensions:


Figure 2 - extensions to encrypt

The list is as follows:

.txt, .cpp, .docx, .bmp, .doc, .pdf, .jpg, .pptx, .png, .c, .py, .sql

Encrypted files will have the .hainhc extension appended. Fun note: files aren’t actually encrypted, but encoded with ROT23. For example, if you have a text file which says “password”, the new content or file will now have “mxpptloa” instead.

Noteworthy is the debug path: 

C:\Users\Gaara\Documents\Visual Studio 2013\Projects<b>BKRansomware-20180503T093651Z-001\BKRansomware\Release\BKRansomware.pdb

It appears "BKRansomware"was written in Visual Studio 2013 C++.


Conclusion

While BKRansomware is not exactly very sophisticated, it is able to encrypt (or rather encode) files, and is unique in the sense that it asks you to top up a mobile phone.

Follow the prevention tips here to stay safe.



IOCs


Article Link: Blaze's Security Blog: Vietnamese ransomware wants you to add credit to a mobile phone