MindLost, a new ransomware, has been investigated thoroughly by the MalwareHunter team through scrutinizing samples of it from the beginning of 2018. This malware is dangerous as it encrypts the data and redirects the user to an undesired webpage to threaten the user to pay ransom fees where the only payment method is by credit card. Some researchers believe that MindLost is still under construction and has more to do in the future. However, it is an active malware that targets .c, .jpg, .mp3, .mp4, .pdf, .png, .py and .txt. extensions.
Work in Progress
To prove that MindLost is not completely active, let us take a look on why these extensions are targeted by it. MindLost developers are smart since all storage extensions would take a lot of time to target them all, so instead, the target files in the “C:\Users” folder. So the next advancement would be targeting all the files in a PC. MindLost attributes the extension .enc for example to all of the files being encrypted. Then an image will pop up as your desktop background with the needed instructions to recover your files. As a measure of smartness, MindLost has a registry key to guarantee remaining on the computer even if it is rebooted.
Non-traditional Payment Scheme
Surprisingly, MindLost do not accept Bitcoin payments, but they do only accept payments by credit or debit card. And this is surprising since Bitcoin is the normal currency for all malware developers since it is difficult to track it, unlike credit payments since to receive credit payments, you have got to register as a merchant and supply some personal information.
The first thing that should pop in your mind that these developers want to steal your credit card details, causing more harm. Because it is illogical that they know that they could be easily traced, making no other option that the credit card options is nothing but stealing the customers’ information. The other option could be the developers are not mature enough or still they need to develop their site to accept ransom fees, which is an unlikely option.
Regardless of any matter, MindLost developers appear to have miniaturized experience in this field. The code has been investigated by researchers and they all agreed that the code is a very weak and basic one when compared with other malware codes. To further reveal how the code is weak, we will start with the fact that there are men names in the binary file path, which could mislead the researchers. Moreover, ransomwware binary is accompanied with hardcoded credentials that has the database of MindLost, which is something very amateur when speaking of programming. And this is mainly because any one who is investigating the case could make a connection with this database and retrieve any of the previous user’s data with having the encryption and decryption keys used to encrypt the files.
Related Article: The Dissection of Guts FinFisher