The security researcher Lawrence Abrams has identified a development version of a new ransomware called Donald Trump ransomware.
Donald Trump Ransomware In Progress
The latest ransomware threat that has emerged on the Internet is a development version of a new strain named after Donald Trump. The discovery was reported by Lawrence Abrams from Bleeping Computer. The malware is still under active development and according to the reports it was first compiled over a month ago. As this is still a pre-release version Abrams does not expect to see attack campaigns with it yet.
The Trump ransomware is distributed as spam emails posing as a legitimate newsletter regarding the current presidential elections in the USA. The contents contain an attachment that redirects to an infected domain where the ransomware resides.
The codebase contains a mechanism that encrypts files using the AES cipher, however in the spotted samples this is not activated yet. The current version searches for files found in the encrypt folder and then encodes the file names in base64. After that is achieved the victim files are renamed using the .encrypted extension. The targeted file extensions are the following:
.zip, .mp3, .7z, .rar, .wma, .avi, .wmv, .csv, .tax, .sidn, .itl, .mdbackup, .menu, .icarus, .litemod, .sav, .lvl, .raw, .flv, .m3u, .xxx, .pak, .jpg, .png, .docx, .doc, .ppt, .odt, .csv, .jpeg, .psd, .rtf, .cfg, Minecraft, alts.json, .wolfram, .dat, .dat_mcr, .mca, .Ink, .pub, .pptx, .php, .html, .yml, .sk, .txt, .mp4, .vb, .swf, .ico, .xcf, bukkit.jar, .log, .sln, .ini, .dll, .xml, .tex, .assets, .resource, .java, .js, .css, .gif,
The development version has an Unlock button that reverses the changes. The expert suggests all users to be extremely careful when receiving email with attachments as that is the possible distribution method for most ransomware variants. At this moment only a handful of anti-virus solutions identify the threat.
