![\"Email](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/crimace-spam-email.png\")
<\/p>\n
Figure 1. Email message masquerading as a fax but carrying TrojanDownloader:JS\/Crimace.A<\/span><\/u><\/a> as attachment<\/em><\/p>\n The malicious email ticks all the boxes to fake a fax:<\/p>\n The use of a password-protected RAR file attachment is a clear attempt to evade AV scanners. The password is provided in the email message body. The archive file contains no fax, but Crimace<\/a>, a malicious Windows Script File (.WSF) developed in JScript.<\/p>\n When the recipient falls for the lure and opens the attachment, Crimace<\/a> displays the following message to complete the fax pretense:<\/p>\n Figure 2. Crimace<\/a> displays a message to signify the fake fax cannot be displayed<\/em><\/p>\n Unsuspecting victims might think that is the end of it. But Crimace<\/a> goes ahead with its intention to download its payload, a ransomware detected as Ransom:Win32\/WinPlock.B<\/a>.<\/p>\n WinPlock<\/a> is a family of ransomware that has been around since September 2015 but did not have significant activity until recently. The discovery of this new variant signals that it\u2019s back to wreak havoc.<\/p>\n Ransom:Win32\/WinPlock.B<\/a> can search for and encrypt a total of 2,630 file types.<\/p>\n Figure 3. Ransom:Win32\/WinPlock.B<\/span><\/u>\u2019s ransom note contains instructions to pay<\/em><\/p>\n It asks for a ransom of .55 Bitcoin, which the ransom note indicates as converting to ~US$386. However, using current conversion rates, it converts a little higher:<\/p>\n Figure 4. Bitcoin to US Dollar conversion on November 15, 2016 shows a higher rate than what is indicated in the ransom note (data from Coinbase)<\/em><\/p>\n Interestingly, when this ransomware family was first discovered in September 2015, it asked for ransom of 1 Bitcoin, which at the time converted to ~US$300. The market has changed since then, with more and more ransomware families and better technologies to detect ransomware. The increase in ransom amount indicates the actors behind this ransomware family are tracking Bitcoin exchange rates, and aim for potentially bigger gain.<\/p>\n And, just like the fake fax that delivers Crimace<\/a>, Ransom:Win32\/WinPlock.B<\/span><\/u> attempts to cause panic by setting a timer that gives a victim 120 hours to pay the ransom:<\/p>\n Figure 5. Ransom:Win32\/WinPlock.B<\/span><\/u> sets a timer<\/em><\/p>\n TrojanDownloader:JS\/Crimace.A<\/a> arrives as a malicious .WSF file contained in a RAR archive attached to emails:<\/p>\n Figure 6. The attachment is a RAR archive containing a malicious .WSF file<\/em><\/p>\n Inspecting the .WSF file shows that it is obfuscated script file:<\/p>\n Figure 7. The .WSF file before\u00a0unobfuscated form<\/em><\/p>\n Decrypting the file reveals a lot of suspicious functions including download and execute capabilities:<\/p>\n The header of the file is its configuration code and is embedded on the file as an array:<\/p>\n Figure 8. The header of the decrypted script is the configuration code<\/em><\/p>\n When decrypted, the configuration includes data including campaign number, download links, and installation paths:<\/p>\n Figure 9. Decrypted configuration<\/em><\/p>\n Ransom:Win32\/WinPlock.B<\/a> is downloaded by Crimace<\/a> as a Nullsoft Scriptable Install System (NSIS) package. Once executed it may create the following desktop shortcut:<\/p>\n Figure 10. NSIS package icon used by malware<\/em><\/p>\n When the malicious file is extracted from the NSIS package, it uses the following icon:<\/p>\n Figure 11. Icon used by malware after extraction from package<\/em><\/p>\n The malware\u2019s file information also shows campaign ID as internal name and version:<\/p>\n Figure 12. The malware file information<\/em><\/p>\n When successfully executed, Ransom:Win32\/WinPlock.B<\/a> encrypts files with extensions in its list of 2,630. Notably, the ransom note contains an email address to contact for support. It asks for ransom of .55 Bitcoins.<\/p>\n Figure 13. Ransom:Win32\/WinPlock.B<\/span><\/u>\u2019s ransom note contains support information<\/em><\/p>\n The ransom note also lists websites where victim can buy Bitcoins:<\/p>\n Figure 14. Ransom:Win32\/WinPlock.B<\/span><\/u>\u2019s ransom note lists information for acquiring Bitcoins<\/em><\/p>\n Clicking the “Show files” lists all the encrypted files. Unlike other ransomware, Ransom:Win32\/WinPlock.B<\/span><\/u> does not change the extension of the encrypted files:<\/p>\n Figure 15. List of encrypted files<\/em><\/p>\n It also creates additional files to remind users that their computer is infected:<\/p>\n Figure 16. The malware creates additional files to indicate that files have been encrypted<\/em><\/p>\n To avoid falling prey to this new ransomware campaign, here are some tips:<\/p>\n For end users<\/strong><\/p>\n For IT Administrators<\/strong><\/p>\n To learn more about how Microsoft protects you from ransomware, you can read the following:<\/p>\n\n
![\"Crimace](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/crimace-message.png\")
<\/p>\n![\"Ransom:Win32\/WinPlock.B\u2019s](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/winplock-ransom-1.png\")
<\/a><\/p>\n![\"Bitcoin](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/winplock-bitcoin-us-dollar-conversion.png\")
<\/em><\/p>\n![\"data:text\/mce-internal,content,%3Cimg%20width%3D%22538%22%20height%3D%22118%22%20class%3D%22alignnone%20size-full%20wp-image-9515%22%20alt%3D%22Bitcoin%20to%20US%20Dollar%20conversion%20on%20November%2011%2C%202016%20shows%20a%20higher%20rate%20than%20what%20is%20indicated%20in%20the%20ransom%20note%22%20src%3D%22https%3A\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/winplock-bitcoin-us-dollar-conversion.png%22%20\/%3E\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/winplock-timer.png\")
<\/p>\nTrojanDownloader:JS\/Crimace.A has a lot of functions to download and execute<\/h2>\n
![\"The](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/crimace-archive-1024x606.png\")
<\/p>\n![\"crimace-obfuscated-script\"](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/crimace-obfuscated-script-1024x440.png\")
<\/p>\n\n
![\"The](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/crimace-decrypted-1024x421.png\")
<\/p>\n![\"Decrypted](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/crimace-decrypted-header.png\")
<\/p>\nRansom:Win32\/WinPlock.B encrypts 2,620 file types<\/h2>\n
![\"NSIS](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/winplock-nsis-icon.png\"){kind=icon}
<\/p>\n![\"Icon](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/winplock-icon.png\"){kind=icon}
<\/p>\n![\"The](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/winplock-file-info.png\")
<\/p>\n![\"Ransom:Win32\/WinPlock.B\u2019s](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/winplock-ransom-2.png\")
<\/p>\n![\"Ransom:Win32\/WinPlock.B\u2019s](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/winplock-ransom-3.png\")
<\/p>\n![\"List](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/winplock-list-encrypted.png\")
<\/p>\n![\"The](\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/11\/winplock-addl-files.png\")
<\/p>\nPrevention and mitigation<\/h2>\n
\n
\n
Additional information<\/h2>\n