PadCrypt: The first ransomware with Live Support Chat and an Uninstaller

[Batu69]

A new ransomware was discovered by @abuse.ch and further analyzed by MalwareHunterTeam called PadCrypt that offers for the first time a live support chat feature and an uninstaller for its victims. CryptoWall was the first ransomware to provide customer support on their payment sites, but PadCrypt's use of live chat allows victims to interact with malware developers in real time. A feature like this could potentially increase the amount of payments as the victim can receive "support" and be guided on the confusing process of making a payment.

PadCrypt offers a Live Support Chat Feature

With the release of PadCrypt, customer support is taken to a new level by the malware developers offering live chat.  In the main screen for the PadCrypt ransomware there is a link called Live Chat as shown in the image below.

 

PadCrypt Ransomware Screen

 

If a user clicks on the Live Chat option, it will open up another screen that allows the victim to send a message to the developers. When the developers respond, their reply will be shown in the same screen.

 

Live Chat feature of PadCrypt

 

At this time, the Command & Control servers for PadCrypt are offline, so the ransomware will not actually encrypt anything even though it shows you the ransomware screen. Furthermore, as the live support chat requires an active C2 server, the live chat functionality is broken as well.

PadCrypt makes it easy to remove the infection

For those who wish to remove the infection, PadCrypt makes it easy by also downloading and installing an uninstaller. We recently have seen a ransomware that allows you to enable and disable the autorun for it, but this is the first time we have seen a ransomware that provides an uninstall program as well.  When PadCrypt is installed, an uninstaller will also be downloaded and installed at %AppData%\PadCrypt\unistl.exe.   Once the uninstaller is executed, it will remove all ransom notes and files associated with the PadCrypt infection. Unfortunately, all encrypted files will remain.

Ransomware developers love CryptoWall

There is something about CryptoWall that other ransomware developers just love to imitate it.  This is also the case with PadCrypt as the executable has numerous references to CryptoWall in it.  For example, the PDB for the PadCrypt executable is:

C:\Users\user\Documents\Visual Studio 2013\Projects\Cryptowall 2.0\Cryptowall\bin\Debug\Obfuscated\PadCrypt.pdb

There are also numerous references to CryptoWall within the C# project for this ransomware. For example, one of the namespaces for the ransomware is called Cryptowall.

 

CryptoWall Namespace

 

PadCrypt Encryption Process

PadCrypt is distributed via SPAM that contains a link to a zip archive that contains what appears to be a PDF file with a name like DPD_11394029384.pdf.scr. This PDF file, though, is actually an executable renamed to have the .scr .extension that when executed downloads the package.pdcr and unistl.pdcr files from the now disabled Command & Control servers.  The known C2 servers used by this ransomware include annaflowersweb.com, subzone3.2fh.co, and cloudnet.online. The package.pdcr is the PadCrypt executable and the uninstl.pdcr is the uninstaller. Both of these files will be stored in the %AppData%\PadCrypt folder.

 

When the main PadCrypt.exe file is executed, it will scan the local drives for any files that match certain extensions and encrypt them using AES encryption.  Any file that is encrypted will have the .ENC extension appended to the filename. PadCrypt will also record the name of any encrypted file in the %AppData%\PadCrypt\files.txt file. The list of targeted extensions are:

pdf, gif, bmp, jpeg, jpg, png, doc, docx, ppt, ptx, psd, pdn

During the encryption process, PadCrypt will also delete the Shadow Volume Copies on the computer by executing the following command:

vssadmin delete shadows /for=z: /all /quiet

When it has finished encrypting the data it will create a IMPORTANT READ ME.txt file on the desktop that contains ransom instructions as shown below.

 

IMPORTANT READ ME.txt

Finally, it will show the ransom screen as shown below.

 

PadCrypt Ransomware Screen

 

This ransom screen will provide instructions on how to make .8 bitcoin payment or a ~$350 payment via PaySafeCard or Ukash. The instructions also state that you  have 96 hours to make payment or the key will be destroyed. 

 

At this time, it is currently unknown if there is a way to decrypt these files for free, but if we learn anything further we will be sure to post it.

 

Files associated with PadCrypt

%Desktop%\IMPORTANT READ ME.txt
%AppData%\PadCrypt\unistl.exe
%AppData%\PadCrypt\decrypted_files.dat
%AppData%\PadCrypt\File Decrypt Help.html
%AppData%\PadCrypt\PadCrypt.exe
%AppData%\PadCrypt\Files.txt

Registry entries associated with PadCrypt

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PadCrypt" = "%AppData%\PadCrypt\PadCrypt.exe"
HKEY_CURRENT_USER\Control Panel\Desktop "Wallpaper" = "%AppData%\PadCrypt\Wallpaper.bmp
HKEY_CURRENT_USER\Control Panel\Desktop "WallpaperStyle" = 1
HKEY_CURRENT_USER\Control Panel\Desktop "TileWallpaper" = 0

 

Article source