loader gif

New RedEye ransomware destroys victims' files, rewrites MBR if they fail to pay up

peeking, sneaking, voyeur, voyeurism, camera, hole, hidden, wall, woman, eye, peeping, horizontal, one, female, face, spying, watching, shaped, diamond, obscured, person, looking, searching

A new piece of ransomware named RedEye has been discovered that destroys victims’ files, rather than encrypting or holding them for ransom.

This new strain of malware has been created by iCoreX, the developer behind the infamous Annabelle ransomware, who also claims to have made the Jigsaw ransomware that was spotted a couple of years ago.

Although the working model is similar to Anabella and Jigsaw, RedEye's destructive nature makes it stand out. Unlike most ransomware families, RedEye permanently destroys the user's files if finds there is no financial gain.

According to a new blog post by malware researcher Bart Blaze, this new malware is delivered via a large file which is about 35 MB and contains images and audio files embedded in the binary. Among these, there are three .wav files -- child.wav, redeye.wav and suicide.wav -- intended to scare victims.

The malware author used ConfuserEx and compression along with few other tricks to protect the binary. Once installed on a victim's system, the ransomware performs a series of actions to make its removal process difficult including disabling Windows Task Manager and hiding within the infected machine's drives.

The malware then encrypts the files using AES 256 encryption algorithm and appends them with .RedEye extension. It then displays a warning note that requests users to pay the ransom or have their files destroyed. The affected users are asked to pay 0.1 Bitcoins to a specific address on the .onion website within just four days.

RedEYE’s warning note features four options that include viewing the encrypted files, decrypting them, get support or destroy PC. If a user clicks on the last option, a GIF is displayed in the background with two functions that asking them to go ahead by clicking on the 'Do it' button or close the image. If a user selectes the 'Do it' option , the malware reboots the machine and replaces the MBR (Master Boot Record).

When the victim powers up the system, they are greeted with a message that reads: victim powers on the system, he/she is greeted with a message that says, “RedEye terminated their computer,” along with the signature of the 'iCoreX' malware author.

“While it appears that the RedEye ransomware has even more tricks up its sleeve than its predecessor Annabelle, the same conclusion holds true: do not pay the ransomware,” Blaze notes. “As for the actual purpose of the ransomware: it may be considered a ransomware of the wiper kind, however, it appears the author likes to showcase his or her skill.”

loader gif