<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=179060&amp;fmt=gif">

Minerva Labs Blog

News & Reports

Meet the TimeTime ransomware - the ransomware that asks for €100 via PaySafeCard

Every day we hear about the growing number of sophisticated ransomware groups, such as the infamous Conti, Khonsari and BlackCat. These groups usually exfiltrate and encrypt their victims’ data (a tactic known as Double Extortion) and ask for millions of dollars in order to decrypt their victims’ files and avoid publishing them online.  

But it appears that an increasing number of people are trying their hands at ransomware attacks, with methods that are often not as sophisticated as the ones the well-known threat actor groups use. 

Meet the TimeTime ransomware, the simple ransomware that “wants you” to pay 100 euro via PaysafeCard. Two days ago, MalwareHunterTeam tweeted about a new ransomware whose victims, got “Epicly pwned”: 

 twitter ransom message-1

Figure 1 - MalwareHunterTeam tweet 

The €100 ransom piqued our interested and we decided to take a closer look. 

The TimeTime ransomware is written in C#, isn’t even obfuscated, and is well documented by meaningful function names. The encryption algorithm is pretty simple, and the encryption process is done by adding “\u0001” to every single file byte: 

 timetime source code-1

Figure 2 - Encryption routine 

After the encryption process is completed, the following ransom note is added to the folder: 

 timetime ransomware message-1

Figure 3 - Ransom note 

The ransom note declares that files were stolen, but it seems to be a lure since there are no exfiltration functions found in the source code. 

Threat actors are asking for “100€ of paysafecard”. Paysafecard is a prepaid online payment method based on vouchers with a 16-digit PIN code, independent of bank account, credit card, or other personal information. Customers can purchase vouchers at local sales outlets and pay online by entering the code at the checkout of the respective website (e. g. an online game). 


Firstly, the original executable is copied to “C:\Users\****\AppData\Roaming” directory by svchost.exe name. 

Next, a threat actor takes care of the shadow copies and delete them, and only then the encryption process begins: 

 timetime shadowcopy delete-1

Figure 4 - Shadow copy delete 

TimeTime ransomware creates a new registry key named “TimeTime” under HKEY_CURRENT_USER. When a file has been encrypted, a new value is created under “HKCU\TimeTime”. The Value name is equal to the full path of the encrypted file: 

 timetime registry encryption log-1

Figure 5 - Registry encryption log 

The “@_DECRYPTOR_@.exe” file that the attacker wanted us to find, is a decryption utility, that decrypts the encrypted files if a valid code is entered: 

 timetime decryption utility-1

Figure 6 - Decryption utility 

As we can see, the attacker has left us the option to see all encrypted files. The file names are retrieved from registry: 

 timetime encrypted files-1

Figure 7 - Encrypted files 

Our assumption is that this remarkably simple ransomware was written by an inexperienced threat actor trying their luck. 




  • 5ee8500fe1a2f22029908d4e2b32e7fb85aec03ffea714f3b5e82ebb2bc10f21 – TimeTime.exe 


  • https://en.wikipedia.org/wiki/Paysafecard 

Interested in Minerva? Request a Demo Below

Stay Informed

Sign up for the Minerva newsletter and stay on top of the latest cybersecurity news.


see all