A new ransomware appeared this past week and in the span of two days it went from version 1.0 to 3.0, as its author, a German developer known as EvilTwin, or Exotic Squad, really wanted to impress security researchers with his “work of art.”
Called Exotic, this ransomwareis your run-of-the-mill ransomware that locks files, shows a ransom note and asks for money to unlock your data.
According to MalwareHunterTeam, the developer that first spotted the ransomware, this is not the most advanced and well-coded piece of malware he has looked at in the past months.
Exotic isn’t a threat at the time of writing. According to multiple researchers, and its author, the ransomware is still a work in progress.
MalwareHunterTeam found Exotic 1.0 on October 12, when, as he likes to do, he started a group analysis on Twitter to share information on the new threat with other analysts. As is sometimes a custom, one of the researchers recorded a video of the ransomware in action, walking other researchers through the infection process.
To everyone’s surprise, the ransomware author contacted the researcher and thanked him for the time he took to showcase his “work” and make the video, and even wanted to become friends on Skype, as these screengrabs show. This gesture took many by surprise, since malware authors usually do everything in their powers to avoid security researchers and their prying eyes, especially ransomwareAnalysts, who many times crack encryption algorithms, ruining their operations.
Researchers found Exotic 2.0 and Exotic 3.0 during the next two days, but they both contained minimal changes. At the time of writing, there is no spam or malvertising campaign pushing this threat.
As for Exotic’s technical capabilities, the ransomware works by encrypting files with the AES-128 algorithm and requiring the user to pay a ransom of $50 in Bitcoin.
At the file level, the ransomware encrypts files, gives them a random name, and replaces the original extension with “.exotic”.
Exotic 1.0 is easy to spot because it uses an image of Hitler for the ransom note background, probably inspired by the Hitler ransomwarethat appeared at the start of August. The other two versions dropped this image and used a minimal lock screen inspired by the Jigsaw ransomware. This is nothing out of the ordinary, and most ransomware works following the same pattern.
The only distinctive feature about Exotic is actually a bug that initially fooled researchers into thinking it was slowing down PCs by constantly scanning computers for newly added files. In the end, it turned out that the crook targeted a few folders for encryption more than once.
The error is quite trivial, and this shows that EvilTwin has no experience working with ransomware-which most security researchers suspected since the beginning.