Recently we caught what seems to be a new ransomware variant in our nets. The mail contained a file called âTransferencia devuelta pago erroneoâ (translated: âTransfer back erroneous paymentâ) with the .cmd extension and is actually just an executable.
When running the file, youâll get the following notification:
Error in file, nothing to see, move on⊠Right? Not exactly, in the background a new folder on C:\ called xwintmp is created and new files are being download and executed:
 5 new files are created:
- chuingamshik -> file which contains the word âchuingamshikâ, possibly the projectâs name
- filepas.asc ->Â contains your calculated PGP key and ransom message
- manager.exe ->payload, dropped by Transferencia devuelta pago erroneo.cmd
- pgp.exe -> generates your custom PGP key
- rar.exe -> to encrypt the files
As to not arouse suspicion or to evade sandboxes, the malware then waits for a while using the Windows API âsleepâ function and afterwards starts âencryptingâ all your files:
Iâve used single quotation marks here since thereâs no real encryption going on, but rather the manager.exe file starts archiving (or âRARringâ if you will) your files with some parameters and adds a password, using the command line version of WinRAR. The ransom creates a random key, unique per infection process. The seed for the random key is the Windows API âGetCursorPosâ. âGetCursorPosâ gets the current X and Y coordinate from mouse cursor, and is launched 16 times, making it impossible to guess or recover the key.
Hereâs the good news: when the malware is still encrypting your files, you can easily retrieve the password from memory as is also shown in the screenshot above. Starting with 5F0 and ending with 131 is in fact the password used to encrypt the files. You can use for example Process Explorer to determine the command line arguments and extract the password.
As said earlier, the filepas.asc contains your PGP key + a ransom note, which is as follows:
The files are packed in archives with a password.
Unpacked – 300 eur
To unpack the files send two files to email: chuingamshiki@gmail.com
1) file you are reading now
2) one packed file (no more than 1 megabyte)
In response comes the original file and the instruction for bitcoin transfer
(The original file is proof that it is possible to return all files to their original)
After the transfer bitcoin, you will receive your password to archives.
Also coming program to automatically unpack files
Reply to your letter will come within 24 hours.
If no response comes for more than 24 hours write to reserved e-mail: chuingamshiki@mail2tor.com
Do not pay for ransomware, but restore your files using Volume Shadow Copies or straight from a backup.
In case youâre fast enough, you can get the password and restore your files (kill the manager.exe process after copying the password though, or it will keep encrypting your files).