RedEye Ransomware: A Nasty New Strain of Threat

Ransomware surely doesn’t need any introduction as it is the most devious type of malware that can infect your system. Till date, the most notorious of them all was WannaCry that didn’t leave a single stone unturned to ruin the life of thousands of victims. But it seems WannaCry is soon going to lose all its charm over the latest strain of ransomware that is rising like a serpent and gaining attention dubbed RedEye.

RedEye the new strain of malware is designed by the developer of Annabelle and Jigsaw virus and stands out amongst all the threats, as it ruin victims PC if ransom is not paid.

What is RedEye Ransomware?

RedEye is a high risk ransomware-type virus that is different from others, as it destroys user data and PC if ransom is not paid within the given time frame. The ransomware apparently encrypts data using the AES-256 encryption algorithm and adds an extension “. RedEye” to the file name.

This ransomware not only encrypts data, it also completely wipes the data thus making the data useless and impossible to restore.

How it works?

Just like Annabelle it performs various actions on the machine making it difficult to uninstall the ransomware. Besides, encrypting data, it overwrites or fill files with 0 bytes thus making them unusable. It also changes the desktop wallpaper and displays a note demanding ransom. Plus it disables task manager and hides system drivers.

The ransom note contains a message that says, data is encrypted using AES256 and to access it victim needs pay 0.1 Bitcoins by accessing a .onion website to restore it. The payment has to be submitted within four days failing to do so l data will be “destroyed”.

Text presented in RedEye ransomware pop-up window:

All your personal files has been encrypted with an very strong key by RedEye! (Rijndael-Algorithmus – AES – 256 Bit)

The only way to get your files back is:

The only way to get your files back is:

– Go to hxxp://redeye85x9tbxiyki.onion/tbxlyki – Enter your Personal ID and pay 0.1 Bitcoin to the address below! After that your need to click on “Check Payment”. Then you will get a special key to unlock your computer.

You got 4 days to pay, when the time is up, then your PC will be fully destroyed!

The note gives user following options:

Possibility of viewing encrypted files and decrypt them.

Get support

“destroy PC.”

If user selects the last option a GIF is displayed in the background, with a “Do it” button to proceed with the operation and another to close the image. If “Do it” button is selected the very same time, 4-day window is revoked and malware reboots the machine to replace the MBR. In contrast to other virus-ransomware, this behavior of RedEye is unusual and advanced.

After the Destroy PC button is pressed the next time when machine is powered on, a message is displayed to the victim that reads “RedEye terminated their computer,” and it is signed with the “iCoreX” handle.

Also Read : Ransomware is Not Always About Money

MBR lock screen

The first thing to notice about the file is its file size i.e. 35.0 MB due to different media files, especially audio, video and other embedded in binary.

It consists of three .wav files:

  • child.wav
  • redeye.wav
  • suicide.wav

In addition to this the binary is protected with ConfuserEx, compression, and another trick.

What is AES-256?

It is a symmetric encryption algorithm, that uses single key to encrypt and decrypt data. The unique key is stored at a remote server operated by RedEye’s developer, once the ransom is paid the key is been sent to the victim.

Note: The data can be decrypted and restored only when the key is received, even if you pay ransom, victim needs to wait for the key.

Screenshot of the message that victim receives

Properties of RedEye Ransomware:

  • MD5: 832090ba6fe32a3c7c36dbd76f270215
  • SHA1: 804b8e85f38de8b82a961401836ccec5880342e6
  • SHA256: 1a8b7a6547b743ea01bb0ac057c91228c10dc8f99562ce2b06e25893161776bb
  • Compilation timestamp: 2018-05-03 10:04:35

Must Read : 5 Best Ransomware Protection Tools For Windows

How ransomware infects the PC?

There are several ways using which a ransomware can proliferate in the PC. The most common amongst them is via spam emails, malicious attachments, peer to peer file transfer, file download from untrusted sources, fake software, JavaScript files and other ways.

How to stay protected from ransomware?

The most common reason of machine getting infected is human error, lack of knowledge and carefree attitude. Therefore, if one wants to stay protected from them they need to pay attention to their browsing habits, download/upload/installation of data and software. Besides, user need to analyze each email attachment, if they receive it from any untrusted source should never open it or even download it. Such email should be deleted instantly without even giving a second thought. Furthermore, software should always be downloaded from official site or trusted sources as third-party downloaders are used to spread rogue apps.

Leave a Reply

Your email address will not be published. Required fields are marked *