The Nullbyte Ransomware pretends to be the NecroBot Pokemon Go Application

Share this…

A new DetoxCrypto Ransomware variant called the Nullbyte Ransomware has been discovered by Emsisoft security researched xXToffeeXx that pretends to be the popular Pokemon Go bot application called NecroBot, When infected, the ransomware will encrypt a victim’s files and then demand .1 bitcoins to decrypt the files. Thankfully, Michael Gillespie was able to create decryptor so that victims can get their files back for free.

This ransomware is distributed from a Github project that pretends to be a rebuilt version of the NecroBot application in the hopes that people will download it thinking it was the legitimate application.

Fake NecroBot Github Page
Fake NecroBot Github Page

When someone downloads and executes the application it will show the standard NecroBot interface asking for the victim to login.

NecroBot
NecroBot

If any login info, real or fake, is entered and the Login button is pressed, the program wil pretend to try and login to the NecroBot servers. In the background, though, the ransomware will steal the entered credentials by uploading them to the command and control server and then begin to encrypt a victim’s files.

Encrypting
Encrypting

When finished, the ransomware will display its lock screen that prompts a user to pay .1 bitcoins to decrypt the files.

Ransom Note Lock Screen
Ransom Note Lock Screen

The Nullbyte Ransomware Encryption Process

According to further analysis by MalwareHunterTeam, the Nullbyte ransomware will encrypt files using AES encryption and then append the _nullbyte extension to encrypted files. For example, test.jpg would become test.jpg_nullbyte when the file is encrypted.

When encrypting files, the Nullbyte ransomware will encrypt any file located in the following folder:

%USERPROFILE%\Documents
%USERPROFILE%\Downloads
%USERPROFILE%\Favorites
%USERPROFILE%\Pictures
%USERPROFILE%\Music
%USERPROFILE%\Videos
%USERPROFILE%\Contacts
%USERPROFILE%\Desktop

While running, this ransomware will also terminate the chrome, cmd, taskmgr, firefox, iexplore, and opera processes, This is done to make it difficult to remove the ransomware or search for help on the web.

Last, but not least, the ransomware will generate a screenshot of the currently active Windows screens and upload it to the ransomware’s command & control server. At this time, it is unknown how the screenshot is used, but it could be used for possible information theft or blackmailing.

Decrypting the Nullbyte Ransomware

Thankfully, Michael Gillespie was able to create a decryptor for the Nullbyte Ransomware. Instructions on how how to use the decryptor can be found in the Nullbyte Ransomware Help and Support Topic.

Below is a screenshot of the decryptor decrypting files encrypted by this ransomware.

Nullbyte Decryptor

Files associated with the Nullbyte Ransomware

%UserProfile%\Desktop\DecryptInfo.exe
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost32.exe
%UserProfile%\Documents\bg.jpg
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DecryptInfo.exe
%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\enhost32.exe

IOCs:

SHA256:	96992b32a1bd469dfb778d8d2d1a24dbc41d5adc11d05efa659e6c85de0f50ad

Network Traffic:

https://tools.feron.it/php/ip.php
ftp://ftp.taylorchensportfolio.netai.net/DECRYPTINFO-LAUNCHED
ftp://ftp.taylorchensportfolio.netai.net/DECRYPT-REQUEST
Source:https://www.bleepingcomputer.com/