The fascinating turn on this ransomware variation is that it influences the Google Cloud Messaging (GCM) Platform, a push warning administration for sending messages to enrolled customers, as a component of its C2 infrastructre. It additionally utilizes AES encryption in the correspondence between the contaminated device and the C2 server.
There are a few things that emerge about this risk. The first is the humongous payment ask it approaches victims for, which is 545,000 Russian rubles
Once user installs the malicious application, it demands application admin rights.
How this malware works
As per Lu, law breakers can send 20 type of commands to contaminated hosts, orders which can lock or open the device’s screen, add new contacts to the telephone, take all contacts, send SMS messages, and redesign the malware’s code.
Here we can see a detailed analysis on how this malware works
Next the Jfldnam Class used in GCM registration.The key code bit is demonstrated as follows.
Note : Google Cloud Messaging (GCM) is a free service that enables developers to send messages between servers and client apps.
The GCM Broadcast Receiver announcement in AndroidManifest record, there are three services revelations in the AndroidManifest document.
class kbin.zqn.smv.Ewhtolr is the GCM Service Class, with subclass Hkpvqnb, the following code is used to handle the action of intent related to GCM.
If the action is equal to “com.google.android.c2dm.intent.REGISTRATION”, it means that GCM registration has been successful. The malware handles the response from GCM server.
The registration_id is stored in com.google.android.gcm.xml, if the GCM registration is successful, the malware sends RegId to the C2 server.
From the above figures we can see that the malware uses AES to encrypt the json data that stores the reg_id, and it then sends the encrypted data to its C2 server.
This is used to gain device administrator rights.
This is utilized to show a locker screen that requests that the client present their Mastercard data to open the device. A code scrap of Omnpivk class is demonstrated as follows.
The locker screen is loaded from the asset folder. It looks like this.
Once the gadget is blocked by this malware, the locker screen is overlaid on top of the framework window. Clients are kept from doing anything on the gadget until their bankcard information is given.
Likewise you can read : No more ransom adds immense power to globe against Ransomware Battle
Once the client enters their card details, the malware sends it to the C2 server. The caught movement is demonstrated as follows.
This ransomware is now focusing on just Russian clients. Much the same as most Android malware today, this risk is covered up inside an application that solicitations clients to give it head rights.
The application is probably downloaded and introduced from outsider application stores. Since the ransomware gets administrator rights, clients need to reboot their gadgets in experimental mode and expel the application from that point.
General Methods to prevent Ransomware
2.Disable files running from AppData/LocalAppData folders.
3.Filter EXEs in the email.
4.Patch or Update your software.
5.Use the Cryptolocker Prevention Kit.
6.Use a reputable security suite.
7.CIA cycle(Confidentiality, integrity, and availability)
8.Utilize System Restore to recover the computer.
9.Disconnect Internet connection immediately.