Bitcoin Ransomware Education – PSCrypt

Ukraine is now a hotbed for testing new types of ransomware. Several types of malware have attacked computers across the country over the past two months. One of those ransomware strains goes by the name of PSCrypt. Even though this malicious tool has been around for some time now, we still know very little about this threat.

PSCrypt Doesn’t Like Ukrainian Computer Users

Security researchers were quite surprised to discover yet another ransomware attack mainly targeting Ukrainian computer users. PSCrypt surfaced a few days before the global NotPetya attack took place. This malware was mainly targeting people in Ukraine, who made up close to 80% of all of its victims. Cyber warfare is taking different forms these days, and it seems Ukraine is attractive to criminals.

What makes PSCrypt so troublesome is how little public information there is on it. However, we know PSCrypt is based on the GlobeImposter 2.0 ransomware strain, which has been in circulation since early 2016. As the name suggests, GlobeImposter 2.0 was a global malware threat, as it targets computer users and corporate systems all over the world.

This is what sets PSCrypt apart from most other types of ransomware, as it is only seems to target one country. Granted, there have been a handful of reports from other countries in the world, but they are very sporadic at best. Considering it was the third major cyber attack against Ukrainian computer users in a few weeks, it is clear something is going on behind the scenes.

As far as the distribution of PSCrypt goes, it seems to spread itself through unsecured Remote Desktop Protocol connections. Once the assailant gains access to an insecure system, they transmit a file containing the malware payload. Similar to virtually every other type of prominent type of ransomware in existence, PSCrypt will immediately encrypt all files on the computer. Some folders are exempt from the encryption process, including folder names with “Windows”, “Microsoft”, and “Temp”, among others.

PSCrypt has its own custom file extension, which is applied to all encrypted files. It also leaves a ransom note on the victim’s computer, which instructs users on how to make a Bitcoin payment to receive the decryption key. Interestingly, the note is written in Ukrainian, even though the malware’s source code contains an English version. It does not appear victims are asked to pay a fixed amount in Bitcoin, and the price will depend on how fast victims contact the assailants via email.

To make the Bitcoin Payment, victims have to go through a more complex method than usual. Using a command control server would have been much easier for both the assailants and their victims. It is unclear why they have not chosen this method, albeit we have seen other ransomware developers move away from using such a centralized point of failure over the past few weeks.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.