TrueCrypter ransomware lets you pay with Amazon gift cards

Discussion in 'Alerts!' started by toper01, May 2, 2016.

  1. toper01

    toper01 Moderator Staff Member

    A new form of ransomware known as TrueCrypter has boldly designated Amazon gift cards as a viable option by which victims can pay their ransom fees.

    Bizarrely, however, victims need pay nothing at all - as simply pressing "Pay" without submitting any payment information results in encrypted files being automatically recovered.

    First detected by Jakub Kroustek, a reverse engineer and malware analyst at AVG, TrueCrypter is for the most part a run-of-the-mill ransomware sample.

    Lawrence Abrams of Bleeping Computer explains that when TrueCryper is first installed, it checks to see it is running in a sandbox environment or virtual machine. If not, it looks for certain processes that are known to be associated with security software.

    In the event both tests come back negative, the ransomware takes a Caesar-21 encoded string and loads up configuration settings for its command and control (C&C) server address, bitcoin address, and other information. It then encrypts files on the victim's hard drive using AES-256 encryption, appends .ENC to the filename of each affected file, and deletes all shadow volume copies on the computer before finally displaying its ransom message to the victim.


    Those affected by the ransomware are presented with two payment options: Bitcoins or Amazon Gift Cards.

    The latter is an odd design choice. Unlike Bitcoins, Amazon Gift Cards are not anonymous and can easily be tracked by Amazon. That threatens TrueCrypter's author with considerable risk of discovery.

    Stranger still, TrueCrypter is not the only ransomware that has asked for gift card ransom payments in recent weeks.

    Last month, researchers at Blue Coat Systems identified "Cyber.Police," a form of Android malware that breaks the crypto-ransomware mold:

    "The ransomware doesn't threaten to (or actually) encrypt the victim's data. Rather, the device is held in a locked state where it cannot be used for anything other than delivering payment to the criminals in the form of two $100 Apple iTunes gift card codes. That's unusual because it's far more common nowadays for ransomware to demand non-trackable cryptocurrency, like Bitcoins. In theory, it might be possible for Apple (or its iTunes gift card partners) to track who used the gift cards provided to the criminals, which may help investigators identify them."


    Allowing users to pay in Amazon and Apple iTunes gift cards might not ultimately be just a mode of preference. It could also be a sign of amateur experience in the world of ransomware development.

    Case in point, Blue Coat Systems found they could still copy all unmodified files from the internal memory of a device affected by Cyber.Police. They also discovered the malware does not persist after a factory reset.

    TrueCrypter is even more of a mess. By simply clicking on the "Pay" option, and without submitting any payment information, the ransomware will automatically decrypt all of a user's files and remove itself from the victim's computer.


    And bingo!


    If you have been affected by TrueCrypter, simply click on "Pay" to decrypt your files. But you might want to do it quickly.

    You never know how ransomware authors will react to the disclosure of bugs or the release of decryption tools.

    They could do nothing, or they could decide to patch their code, which might render this mode of decryption unusable. It's better to be safe than sorry and decrypt your files now as opposed to later.

Share This Page