New Android ransomware [Android/Filecoder.C]
ESET security researchers have provided details about a new ransomware family they identified impacting the Android operating system. It has been observed being distributed through online forums and is believed to have been active since July 12th.
At this time, the size and scope of this campaign is limited, targeting only a select group of individuals It was noted by the researchers that if the adversaries choose to broaden the groups who they target and correct execution flaws, this particular ransomware could be most problematic. T
he adversaries set up two domains for this campaign that contain malicious Android downloads. They have been observed for the most part on Reddit or XDA Developers. The topics have been mostly explicit content or technically related. Once a device has been infected, it uses the victim’s contact list to distribute SMS text messages with malicious links in an effort to further the amount of victims it can infect. As is customary with most ransomware, it will lock the victim’s device and demand that a ransom is paid to unlock those files.
Once the files are encrypted, the file extension “.seven” is appended to the original filename.
Further details here.
Indicators of Compromise (IoCs)
Hash
B502874681A709E48F3D1DDFA6AE398499F4BD23
D5EF600AA1C01FA200ED46140C8308637F09DFCD
B502874681A709E48F3D1DDFA6AE398499F4BD23
F31C67CCC0D1867DB1FBC43762FCF83746A408C2
Bitcoin address
16KQjht4ePZxxGPr3es24VQyMYgR9UEkFy
Servers
http://rich7[.]xyz
http://wevx[.]xyz
https://pastebin[.]com/raw/LQwGQ0RQ
Contact e-mail address
h3athledger@yandex[.]ru
Affected Android versions
Android 5.1 and above
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.