[BreachExchange] SpriteCoin cryptocurrency ransomware spy on user, steal saved passwords

Destry Winant destry at riskbasedsecurity.com
Wed Jan 24 20:51:19 EST 2018


Another day, another ransomware scam but this time scammers are
tricking users by introducing them to a cryptocurrency called
“SpriteCoin” that does not exist in reality.

The IT security researchers at Fortinet have discovered a new
ransomware scam in which hackers claim to introduce a new ‘profitable’
cryptocurrency SpriteCoin and ask a targeted victim to download its
wallet file and create their desired password.

In reality, the wallet setup is a malware that infects Windows-based
computers and locks its files on the system and does not download
blockchain. Then it asks for a monetary ransom in order to decrypt the
locked files, which usually is in Bitcoin but in this scam,
cybercriminals ask ransom payment to be paid in Monero, an open-source
cryptocurrency created in April 2014.

Currently, 1 Monero is around $322 while the ransomware scam asks
victims to pay 0.3 Monero which is almost $100. According to
Fortinet’s blog post, during the payment phase, the victim’s Chrome
and Firefox credential store are targeted and sent to a remote website
that can be accessed through Tor browser but at the time of writing
this article, the domain was offline. This means not only do hackers
get their hands on user data and money, but also on the stored login

It is, however, unclear why the ransomware scam asks for only $100 to
$120 as ransom. It could be that hackers are testing the success rate
of their scam and might come back to target bigger fishes with a
larger amount of ransom in the name of SpriteCoin.

“Malware authors have done their homework to ensure higher success
rates. They understand that most people don’t back up their systems
regularly, but if someone should perform a shadow volume or similar
backup, they have logic built into the malware to defeat it. Instead,
a simple offline back up of important files will save a lot of time
and frustration,” said Fortinet team.

A screenshot shared by Fortinet researchers shows the ransomware note
displayed on victim’s screen and how it instructs and threatens users
to pay a ransom or forgot their data.

However, there is another catch, once the victim pays the ransom,
rather than receiving the decryption key for their data, crooks behind
this scam infect the device with another malware capable of harvesting
certificates, image parsing and secretly activating device’s webcam to
spy on the victim.

It is advised that users keep an offline backup of their data at all
times and be smart like the IT team at California’s Sacramento
Regional Transit System who had their computers infected with a
ransomware and were asked to pay $7000 as ransom by the attackers. The
company, however, dismissed the threats and restored the files
afterward as it kept a complete backup of its data.

Just last week, Hancock Health hospital in Greenfield Indiana suffered
a ransomware attack in which its entire server was hijacked by hackers
and since the hospital’s IT team did not keep any backup it was forced
to pay $7000 to get the decryption keys.

If you are a cryptocurrency investor or new to this business, be
vigilant, look out for cyber attacks and choose a secure wallet. Here
is a review list of 5 safest Bitcoin wallets.

More information about the BreachExchange mailing list