Bitcoin Ransomware Education – RSAUtil


One of the most prominent trends among internet criminals comes in the form of exploiting remote desktop services. In one particular case, these exploits are used to install the RSAUtil ransomware. As it turns out, this is quite a powerful way to infect as many computers with malicious software as possible. Moreover, it does not appear one can decrypt this ransomware for free as of right now.

RSAUtil Ransomware Is A Different Creature

It is somewhat disconcerting to learn criminals are purposefully using remote desktop service hacking to infect computers with various types of malware, including ransomware. Then again, this is not entirely surprising, as traditional distribution methods will ultimately become less effective as time progresses. Spam emails and pirated software downloads are popular right now, but criminals have to look toward the future as well.

RSAUtil is currently distributed through hacked remote desktop services. The people behind this malicious toolkit upload a package of different files to infected hosts, which contains a config file, the ransomware itself, and a set of other tools. It is evident exploiting remote desktop services can quickly become a new way of successfully distributing malware on a large scale.

The people over at BleepingComputer took a closer look at the RSAUtil installation package and found some interesting information. As one would expect, there is a file that will clear event logs, removing any trace of how the computer was infected in the first place. Additionally, the configuration file will determine what type of ID is used for encryption, how files should be renamed, and which encryption key is used to complete the task.

There is a lot more to RSAUtil than most people would give it credit for, though. There is also an executable file that actively prevents the infected computer from entering its sleep mode. A hibernating computer would result in the hacker losing access to the machine until it is online again. To make matters even more troublesome, the perpetrators use a legitimate piece of software to achieve this goal.

The ransomware payload itself is installed through a modified svchosts.exe file. As was to be expected, this file will scan all computer folders and files, as well as network drives and other shares found on the network. All of these locations will be encrypted by the ransomware payload. Moreover, RSAUtil does not encrypt specific file types, instead modifies any file it can find, which will not make the analyzing process of this malware sample any easier.

RSAUtil is another type of ransomware asking for a Bitcoin payment, although it remains unclear how much money one has to pay to restore file access. For now, there is no way to decrypt files free of charge, although that may only be a matter of time in the long run. For now, this ransomware poses a significant threat to computer users worldwide, and it may take some time until people even realize their device has been compromised.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.