New Android ransomware [Android/Filecoder.C]

ESET security researchers have provided details about a new ransomware family they identified impacting the Android operating system. It has been observed being distributed through online forums and is believed to have been active since July 12th.

At this time, the size and scope of this campaign is limited, targeting only a select group of individuals It was noted by the researchers that if the adversaries choose to broaden the groups who they target and correct execution flaws, this particular ransomware could be most problematic. T

he adversaries set up two domains for this campaign that contain malicious Android downloads. They have been observed for the most part on Reddit or XDA Developers. The topics have been mostly explicit content or technically related. Once a device has been infected, it uses the victim’s contact list to distribute SMS text messages with malicious links in an effort to further the amount of victims it can infect. As is customary with most ransomware, it will lock the victim’s device and demand that a ransom is paid to unlock those files.

Once the files are encrypted, the file extension “.seven” is appended to the original filename.

Encrypted files with the extension .seven

Further details here.

Indicators of Compromise (IoCs)

Hash

B502874681A709E48F3D1DDFA6AE398499F4BD23

D5EF600AA1C01FA200ED46140C8308637F09DFCD

B502874681A709E48F3D1DDFA6AE398499F4BD23

F31C67CCC0D1867DB1FBC43762FCF83746A408C2

Bitcoin address

16KQjht4ePZxxGPr3es24VQyMYgR9UEkFy

Servers

http://rich7[.]xyz

http://wevx[.]xyz

https://pastebin[.]com/raw/LQwGQ0RQ

Contact e-mail address

[email protected][.]ru

Affected Android versions

Android 5.1 and above

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: