Security researchers have discovered a new "straight-forward" C# ransomware named Spartacus targeting victims that still manages to pack a punch. Found circulating in 2018, researchers at Malwarebytes Labs said Spartacus uses similar techniques and code as other ransomware seen in the past like Blackheart, ShiOne and Satyr, but share no relationship with them.
"In the case of Satyr and Blackheart, the code is nearly identical, with Spartacus following almost the same code flow with some modifications," Malwarebytes' Vasilios Hioureas writes. "If I were to make an assumption, I would say they are either the same actor or the actors for each of them used the same code. But again, there are no facts to prove this as of now.
"It is just an easy form of ransomware that criminals are creating, as it obviously does not take much time or thought to make."
To make sure there is no other instance of malware running on the targeted system, Spartacus begins by running the CheckRunProgram function to create a mutex and ensure it is unique. It also generates a unique key for encryption using the Rijndael algorithm, saves it and uses it to encrypt all files on the system. This means two identical files will have the same cipher-text, according to researchers. The encrypted files have the .Spartacus extension
Meanwhile, the AES key is encrypted with a RSA key embedded in the file while the cipher-text is encoded and displayed to the user in the ransom note. Embedding the RSA key allows the attacker to hold a private key to decipher all individual AES keys.
A screenshot of the ransom note can be seen below:
Image credit: Malwarebytes Labs
The ransomware does not communicate with the attacker or any C2 server at any point of time, allowing it to operate completely offline without any network communication. In fact, the malware author is only notified of an infection after the victim sends the personal ID (the AES key) via email.
Spartacus attackers demand a Bitcoin payment to decrypt files. The amount to be paid is determined by the attacker only after receiving an email from the victim. Researchers note there are no decryptors available for the malware as the decryption tool is likely embedded in the AES key and is different for each victim.
Users infected by Spartacus can perform a process memory dump and allow them the slight chance of extracting the keys from the memory, researchers said. Given its straightforward exploitation method, experts from Malwarebytes believe this ransomware could be on the rise in the near future.