The Maktub Locker infection comes in the usual way: A spam mail from some company with an executable file (.exe) disguised as a text/pdf document. This file will open an “Updating our privacy policies and terms of service” text file that we will read because everyone reads them all the time, don’t we? But while we are doing that, the original file will start encrypting our files just as the other cryptolockers do. Suddenly, this appears on our screen:
All our files have been encrypted with the extension “.rdbmh” and the files are also “smaller” (probably compressed).
So, we will visit their web to check how this works. After entering our public key at the website, we will see a really well-made web regarding payments that looks like this:
These guys might be bad ones but they are very caring! If you have any doubt about how the payment system works, they explain it all to you on their cool website (even with some links about where to buy bitcoins). These five pages show you the following things:
- What happened with your files
- They let you unencrypt two of your files for free
- It shows the prices, but what is interesting is that the price increases as days go by. For the first three days, the ransom from Maktub will be 1.4 BTC but it increases to 3.9 BTC in two weeks. This means that the actual market price of the ransom balloons from 515 up to 1,450 euros.
- It shows how the entire process is automated and that your files will be automatically unencrypted after payment has been made to the given address.
- They also will help you find places where you can purchase Bitcoins.
Looks like they are really polite and want to make things easier for you. But, what they really want is that you pay. Increasing the amount of money you would have to pay over time — called time-based dynamic pricing in the business world — is just a way to pressure you to send them the money, and do it fast. But as we always say, don’t pay the ransom. It will encourage them to continue making money from people this way. Just be careful and do not open any suspicious file attached to an email.
Avira is already detecting this malware as “TR/FileCoder”.
Compression used in Maktub locker is BZip2 ….
1000516E FFD0 CALL EAX ——————————–> kernel32.ReadFile
10005170 85C0 TEST EAX,EAX
10005172 75 08 JNZ SHORT 1000517C
10005174 8B4D E4 MOV ECX,DWORD PTR SS:[EBP-1C]
10005177 E9 A9000000 JMP 10005225
1000517C 8D45 D4 LEA EAX,DWORD PTR SS:[EBP-2C]
1000517F C745 EC 00000000 MOV DWORD PTR SS:[EBP-14],0
10005186 50 PUSH EAX
10005187 8D45 E8 LEA EAX,DWORD PTR SS:[EBP-18]
1000518A C745 D4 00000000 MOV DWORD PTR SS:[EBP-2C],0
10005191 50 PUSH EAX
10005192 8D45 EC LEA EAX,DWORD PTR SS:[EBP-14]
10005195 C745 E8 00000000 MOV DWORD PTR SS:[EBP-18],0
1000519C 50 PUSH EAX
1000519D FF75 E0 PUSH DWORD PTR SS:[EBP-20]
100051A0 FF75 E4 PUSH DWORD PTR SS:[EBP-1C]
100051A3 E8 B8040000 CALL 10005660 ————————> BZCompression_proc
thanks!