New LLTP Ransomware Appears to be a Rewritten Venus Locker

KNOWLEDGE BELONGS TO THE WORLD
Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this

A new ransomware was discovered today by MalwareHunterTeam called LLTP Ransomware or LLTP Locker that is targeting Spanish speaking victims. On a closer look, this ransomware appears to be a rewritten version of the VenusLocker ransomware.

In summary, the LLTP Ransomware has the ability to work in online or offline mode. So regardless of whether there is a connection to the Internet, the ransomware will still encrypt a victim’s files. Furthermore, unlike most ransomware, this family assigns different extensions to encrypted files based upon the file’s original extension.

Unfortunately, at this time there is no way to decrypt this ransomware for free. For those who wish to discuss this ransomware or ask questions regarding it, you can use our VenusLocker Help & Support topic.

How the LLTP Ransomware Encrypts a Computer

When first started, the LLTP ransomware will connect to its Command & Control server located at http://moniestealer.co.nf and send the victim’s computer name, user name, and the identifier string “lltp2.4.0”. From the lltp2.4.0 string, I am making the assumption that the ransomware developers consider this version 2.4.0 of the ransomware.

When the ransomware connects to the C2 server, the C2 server will respond with a AES password that is used to encrypt the victim’s files and an ID that will be inserted into the ransom notes. If the ransomware is unable to connect with the C2 server, then the ransomware itself will generate this information.

The encryption password is then encrypted using an embedded public RSA encryption key and saved in a file called %UserProfile%\AppData\Local\Temp\tlltpl.tlltpl as shown below.

Saving the Encryption Key to tlltpl.tlltpl
Saving the Encryption Key to tlltpl.tlltpl

For those victims who were encrypted in offline mode and wish to pay the ransom, the ransomware developers will need the tlltpl.tlltpl file. This file contains a victim’s encrypted ransomware key and if it is deleted there will be no way to recover the files. Therefore, it is advised not to delete the tlltpl.tlltpl file until you know what you plan on doing.

Below is the current embedded RSA key used to encrypt the victim’s AES password.


uOqfRJL1Q861GuA4Rhv+mHEjdgC9yL/8G/jhaMva3N0FJya4RhKgiyb9+9Pq+WYd/2/CkkeousxWtFD2ysjcI8kQ3YaflICVggmEVvT95/kxrYUBYQYrgDdQX/v+/slLO9jrWlo+1nwDV7hTW7YDKsGpKC71r5SqaRpCefppojE=

	AQAB

The LLTP ransomware will now proceed with encrypting the victim’s files using AES-256 encryption. Unlike most ransomware, this family utilizes a different extension for encrypted files depending on the file’s original extension. With LLTP, if a file contains one of the following extensions it will append the .ENCRYPTED_BY_LLTP extension to the encrypted file.

.txt, .ini, .php, .html, .css, .py, .c, .cxx, .aspx, .cpp, .cc, .h, .cs, .sln, .log, .pl, .java, .doc, .dot, .docx, .docm, .dotx, .dotm, .rtf, .wpd, .docb, .wps, .msg, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .class, .jar, .csv, .xml, .dwg, .dxf, .asp

If a file has one of these extensions, then it will use the .ENCRYPTED_BY_LLTPp extension.

.asf, .pdf, .xls, .docx, .xlsx, .mp3, .waw, .jpg, .jpeg, .txt, .ost, .oab, .jsp, .rtf, .doc, .rar, .zip, .psd, .tif, .wma, .gif, .bmp, .ppt, .pptx, .docm, .xlsm, .pps, .ppsx, .ppd, .eps, .png, .ace, .djvu, .tar, .cdr, .max, .wmv, .avi, .wav, .mp4, .pdd, .php, .aac, .ac3, .amf, .amr, .dwg, .dxf, .accdb, .mod, .tax2013, .tax2014, .oga, .ogg, .pbf, .ra, .raw, .saf, .val, .wave, .wow, .wpk, .3g2, .3gp, .3gp2, .3mm, .amx, .rpt, .avs, .bik, .dir, .divx, .dvx, .evo, .flv, .qtq, .tch, .rts, .rum, .rv, .scn, .srt, .stx, .svi, .swf, .trp, .vdo, .wm, .wmd, .wmmp, .wmx, .wvx, .xvid, .3d, .3d4, .3df8, .pbs, .adi, .ais, .amu, .arr, .bmc, .bmf, .cag, .cam, .dng, .ink, .ini, .jif, .jiff, .jpc, .jpf, .jpw, .mag, .mic, .mip, .msp, .nav, .ncd, .odc, .odi, .opf, .qif, .xwd, .abw, .act, .adt, .aim, .ans, .asc, .ase, .bdp, .bdr, .bib, .boc, .crd, .diz, .dot, .dotm, .dotx, .dvi, .dxe, .mlx, .err, .euc, .faq, .fdr, .fds, .gthr, .idx, .kwd, .lp2, .ltr, .man, .mbox, .msg, .nfo, .now, .odm, .oft, .pwi, .rng, .rtx, .run, .ssa, .text, .unx, .wbk, .wsh, .7z, .arc, .ari, .arj, .car, .cbr, .cbz, .gz, .gzig, .jgz, .pak, .pcv, .puz, .rev, .sdn, .sen, .sfs, .sfx, .sh, .shar, .shr, .sqx, .tbz2, .tg, .tlz, .vsi, .wad, .war, .xpi, .z02, .z04, .zap, .zipx, .zoo, .ipa, .isu, .jar, .js, .udf, .adr, .ap, .aro, .asa, .ascx, .ashx, .asmx, .asp, .indd, .asr, .qbb, .bml, .cer, .cms, .crt, .dap, .htm, .moz, .svr, .url, .wdgt, .abk, .bic, .big, .blp, .bsp, .cgf, .chk, .col, .cty, .dem, .elf, .ff, .gam, .grf, .h3m, .h4r, .iwd, .ldb, .lgp, .lvl, .map, .md3, .mdl, .nds, .pbp, .ppf, .pwf, .pxp, .sad, .sav, .scm, .scx, .sdt, .spr, .sud, .uax, .umx, .unr, .uop, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vmf, .vtf, .w3g, .w3x, .wtd, .wtf, .ccd, .cd, .cso, .disk, .dmg, .dvd, .fcd, .flp, .img, .isz, .mdf, .mds, .nrg, .nri, .vcd, .vhd, .snp, .bkf, .ade, .adpb, .dic, .cch, .ctt, .dal, .ddc, .ddcx, .dex, .dif, .dii, .itdb, .itl, .kmz, .lcd, .lcf, .mbx, .mdn, .odf, .odp, .ods, .pab, .pkb, .pkh, .pot, .potx, .pptm, .psa, .qdf, .qel, .rgn, .rrt, .rsw, .rte, .sdb, .sdc, .sds, .sql, .stt, .tcx, .thmx, .txd, .txf, .upoi, .vmt, .wks, .wmdb, .xl, .xlc, .xlr, .xlsb, .xltx, .ltm, .xlwx, .mcd, .cap, .cc, .cod, .cp, .cpp, .cs, .csi, .dcp, .dcu, .dev, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .eql, .ex, .f90, .fla, .for, .fpp, .jav, .java, .lbi, .owl, .pl, .plc, .pli, .pm, .res, .rsrc, .so, .swd, .tpu, .tpx, .tu, .tur, .vc, .yab, .aip, .amxx, .ape, .api, .mxp, .oxt, .qpx, .qtr, .xla, .xlam, .xll, .xlv, .xpt, .cfg, .cwf, .dbb, .slt, .bp2, .bp3, .bpl, .clr, .dbx, .jc, .potm, .ppsm, .prc, .prt, .shw, .std, .ver, .wpl, .xlm, .yps, .1cd, .bck, .html, .bak, .odt, .pst, .log, .mpg, .mpeg, .odb, .wps, .xlk, .mdb, .dxg, .wpd, .wb2, .dbf, .ai, .3fr, .arw, .srf, .sr2, .bay, .crw, .cr2, .dcr, .kdc, .erf, .mef, .mrw, .nef, .nrw, .orf, .raf, .rwl, .rw2, .r3d, .ptx, .pef, .srw, .x3f, .der, .pem, .pfx, .p12, .p7b, .p7c, .jfif, .exif, .docb, .xlt, .xltm, .xlw, .ppam, .sldx, .sldm, .class, .db, .pdb, .dat, .csv, .xml, .spv, .grle, .sv5, .game, .slot, .aaf, .aep, .aepx, .plb, .prel, .prproj, .eat, .ppj, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .svg, .as3, .as

When encrypting a file it will take the original filename, Base64 encode it, and then append the appropriate extension based on the file types listed above. For example, a file named Wildlife.wmv will be encrypted to a file named V2lsZGxpZmUud212.ENCRYPTED_BY_LLTPp.

While encrypting files, it will skip any files located in the following folders:

Program Files, Program Files (x86), Windows, Python27, Python34, AliWangWang, Avira, wamp, Avira, 360, ATI, Google, Intel, Internet Explorer, Kaspersky Lab, Microsoft Bing Pinyin, Microsoft Chart Controls, Microsoft Games, Microsoft Office, Microsoft.NET, MicrosoftBAF, MSBuild, QQMailPlugin, Realtek, Skype, Reference Assemblies, Tencent, USB Camera2, WinRAR, Windows Sidebar, Windows Portable Devices, Windows Photo Viewer, Windows NT, Windows Media Player, Windows Mail, NVIDIA Corporation, Adobe, IObit, AVAST Software, CCleaner, AVG, Mozilla Firefox, VirtualDJ, TeamViewer, ICQ, java, Yahoo!

The ransomware will also create a folder called %Temp%\lltprwx86\ and extract into it a file called encp.exe, which is a renamed copy of Rar.exe. It will then create a subfolder called vault and make a copy of all the files encrypted with a .ENCRYPTED_BY_LLTPp extension. When finished, it will use the encp.exe to create a password protected RAR archive of the vault folder.  The password for this archive will be the same 32 character passwords used to encrypt the files.  The reason for creating this archive is currently unknown.

The command used to create the password protected archive is:

encp.exe a -r -mt2 -dw -hp [password] -m0 %Temp%\lltprwx86\Files.LLTP %Temp%\lltprwx86\vault\*.*

When the encryption process is done, LLTP will delete the shadow volume copies on the computer to prevent a victim from recovering files. It does this by issuing the following command:

C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete

It will also extract a file called RansomNote.exe and store it on the desktop.  It will then create an autostart so that this program run automatically when a user logs into Windows. When executed, this program will display a Spanish ransom note to the victim as shown below.

Spanish Ransom Note
Spanish Ransom Note

It will also extract a text ransom note on the desktop called LEAME.txt.

Leame.txt Ransom Note
Leame.txt Ransom Note

Finally the ransom will download a jpg file from http://i.imgur.com/VdREVyH.jpg and use it as the desktop background.

LLTP Background
LLTP Background

Both of these ransom note and the desktop background demand a ransom payment of .2 BTC, or approximately $200 USD. It is instructed that this payment should be sent to the bitcoin address 19fhNi9L2aYXTaTFWueRhJYGsGDaN6WGcP and then the victim should contact the author at LLTP@mail2tor.com with their personal ID and the payment transaction. At this time there have been no payments made to the listed bitcoin address.

As previously said, unfortunately at this time the LLTP Ransomware does not look like it can be decrypted.  For those who want to discuss this ransomware or receive updates about it, they can subscribe to our VenusLocker Help & Support topic.

IOCS:

Files associated with the LLTP Ransomware:

%UserProfile%\AppData\Local\Temp\lltprwx86\
%UserProfile%\AppData\Local\Temp\lltprwx86\encp.exe
%UserProfile%\AppData\Local\Temp\lltprwx86\Files.LLTP
%UserProfile%\AppData\Local\Temp\lltprwx86\vault\
%UserProfile%\AppData\Local\Temp\tlltpl.tlltpl
%UserProfile%\AppData\Local\Temp\uinf.uinf
%UserProfile%\Desktop\LEAME.txt
%UserProfile%\bg.jpg

Registry entries associated with the LLTP Ransomware:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\LLTP	%UserProfile%\Desktop\Ransomnote3.5.exe
HKCU\Control Panel\Desktop\Wallpaper	"%UserProfile%\bg.jpg"

Hashes:

SHA256: a3b2ad5dc747c533871c691a1f78631063b08549e213e7abbac5e961588d10ea
SHA256: 46f8dc86d571a6bda00faade21b719ec82c5a1dda3b0fc54bb053a5004557e2d

Network Communication

http://moniestealer.co.nf/nran/gen.php
http://i.imgur.com/VdREVyH.jpg

LLTP Lock Screen Ransom Note Text:

A partir de este momento, todos los archivos importantes almacenados en este computador, tales como: documentos (excel, pdf, doc, etc), bases de datos (sql, mdb, etc), fotos, musica, videos entre otros, 
se encuentran encriptados con cifrado AES-256 y RSA-2048, esto significa que estos archivos estan actualmente BLOQUEADOS con una llave virtual unica generada excusivamente para este computador, la cual se encuentra almacenada en nuestro servidor secreto de internet, y le aseguramos que es IMPOSIBLE desbloquearlos sin dicha llave virtual.

Pero no se preocupe, sus archivos aun se encuentran en su computador, pero estan bloqueados.

Si a usted le importan sus archivos y desea recuperarlos, todo lo que debe hacer es realizar un pago de 0,2 Bitcoins (Cerca de $ 200 USD) por la llave virtual y el servico de decifrado, enviando dichos bitcoins a la siguiente direccion: 

Si desea realizar el pago y recuperar sus archivos, favor envienos un e-mail a nuestra direccion oficial: LLTP@mail2tor.com con su ID personal y recibira toda la asesoria necesaria para completar su pago y desbloquear sus archivos.

NOTA: SOLO DISPONE DE 72 HORAS PARA REALIZAR EL PAGO, DE LO CONTRARIO SU LLAVE VIRTUAL SERA ELIMINADA AUTOMATICAMNETE Y 
TODOS SUS ARCHIVOS QUEDARAN BLOQUEADOS PERMANENTEMENTE

NOTA2: NO INTENTE RECUPERAR SUS ARCHIVOS POR SU CUENTA YA QUE PODRIA DAÑARLOS Y ESTO ENCARECERIA EL SERVICIO DE DECIFRADO, O PEOR AUN PODRIA TERMINAR DE PERDERLOS PARA SIEMPRE.

LEAME.txt Ransom Note Text:

--- THE LLTP RANSOMWARE ---
Unfortunately, you are hacked.
1. What happened to my files?
Your personal files, including your photos, documents, videos and other important files on this computer, have been encrypted with RSA-4096, the strongest encryption algorithm. RSA algorithm generates a public key and a private key for your computer. The public key was used to encrypt your files a moment ago. The private key is necessary for you to decrypt and recover your files. Now, your private key is stored on our secret Internet server. And there is no doubt that no one can recover your files without your private key.
For further information about RSA algorithm, please refer to https://en.wikipedia.org/wiki/RSA_(cryptosystem)
2. How to decrypt my files?
To decrypt and recover your files, you have to pay #ramt# US Dollars for the private key and decryption service. Please note that you have ONLY 72 HOURS to complete your payment. If your payment do not be completed within time limit, your private key will be deleted automatically by our server. All your files will be permanently encrypted and nobody can recover them. Therefore, it is advised that you'd better not waste your time, because there is no other way to recover your files except making a payment.
3. How to pay for my private key?
There are three steps to make a payment and recover your files: 
1). For the security of transactions, all the payments must be completed via Bitcoin network. Thus, you need to exchange #ramt# US dollars (or equivalent local currencies) to Bitcoins, and then send these Bitcoins (about #btc# BTC) to the following address. 19fhNi9L2aYXTaTFWueRhJYGsGDaN6WGcP
2). Send your personal ID to our official email: LLTP@mail2tor.com
Your personal ID is: #id#
3). You will receive a decryptor and your private key to recover all your files within one working day.
4. What is Bitcoin?
Bitcoin is an innovative payment network and a new kind of money. It is based on an open-source cryptographic protocol that is independent of any central authority. Bitcoins can be transferred through a computer or a smartphone withour an intermediate financial institution.
5. How to make a payment with Bitcoin?
You can make a payment with Bitcoin based on Bitcoin Wallet or Based on Perfect Money. You can choose the way that is more convenient for you.
About Based on Bitcoin Wallet
1) Create a Bitcoin Wallet. We recommend Blockchain.info (https://blockchain.info/)
2) Buy necessary amount of Bitcoins. Our recommendations are as follows.
LocalBitcoins.com -- the fastest and easiest way to buy and sell Bitcoins.
CoinCafe.com -- the simplest and fastest way to buy, sell and use Bitcoins.
BTCDirect.eu -- the best for Europe.
CEX.IO -- Visa / MasterCard
CoinMama.com -- Visa / MasterCard
HowToBuyBitcoins.info -- discover quickly how to buy and sell Bitcoins in your local currency.
3) As mentioned above, send about #btc# BTC (equivalent to #ramt# USD) to our Bitcoin receiving address.
4) As mentioned above, and then, send us your personal ID via email, you will receive your private key soon.
About Based on Perfect Money
1) Create a Perfect Money account. (https://perfectmoney.is)
2) Visit to PMBitcoin.com. (https://pmbitcoin.com/btc) 
input our Bitcoin receiving address in the "Bitcoin Wallet" textbox. 
input #ramt# in the "Amount" textbox, the amount of Bitcoin will be calculated automatically.
click "PAY" button, then you can complete you payment with your Perfect Money account and local debit card.
6. If you have any problem, please feel free to contact us via official email.
Best Regards
The LLTP Locker Team

Source:https://www.bleepingcomputer.com/

KNOWLEDGE BELONGS TO THE WORLD
Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this