Every day we hear about the growing number of sophisticated ransomware groups, such as the infamous Conti, Khonsari and BlackCat. These groups usually exfiltrate and encrypt their victims’ data (a tactic known as Double Extortion) and ask for millions of dollars in order to decrypt their victims’ files and avoid publishing them online.
But it appears that an increasing number of people are trying their hands at ransomware attacks, with methods that are often not as sophisticated as the ones the well-known threat actor groups use.
Meet the TimeTime ransomware, the simple ransomware that “wants you” to pay 100 euro via PaysafeCard. Two days ago, MalwareHunterTeam tweeted about a new ransomware whose victims, got “Epicly pwned”:
Figure 1 - MalwareHunterTeam tweet
The €100 ransom piqued our interested and we decided to take a closer look.
The TimeTime ransomware is written in C#, isn’t even obfuscated, and is well documented by meaningful function names. The encryption algorithm is pretty simple, and the encryption process is done by adding “\u0001” to every single file byte:
Figure 2 - Encryption routine
After the encryption process is completed, the following ransom note is added to the folder:
Figure 3 - Ransom note
The ransom note declares that files were stolen, but it seems to be a lure since there are no exfiltration functions found in the source code.
Threat actors are asking for “100€ of paysafecard”. Paysafecard is a prepaid online payment method based on vouchers with a 16-digit PIN code, independent of bank account, credit card, or other personal information. Customers can purchase vouchers at local sales outlets and pay online by entering the code at the checkout of the respective website (e. g. an online game).
Firstly, the original executable is copied to “C:\Users\****\AppData\Roaming” directory by svchost.exe name.
Next, a threat actor takes care of the shadow copies and delete them, and only then the encryption process begins:
Figure 4 - Shadow copy delete
TimeTime ransomware creates a new registry key named “TimeTime” under HKEY_CURRENT_USER. When a file has been encrypted, a new value is created under “HKCU\TimeTime”. The Value name is equal to the full path of the encrypted file:
Figure 5 - Registry encryption log
The “@_DECRYPTOR_@.exe” file that the attacker wanted us to find, is a decryption utility, that decrypts the encrypted files if a valid code is entered:
Figure 6 - Decryption utility
As we can see, the attacker has left us the option to see all encrypted files. The file names are retrieved from registry:
Figure 7 - Encrypted files
Our assumption is that this remarkably simple ransomware was written by an inexperienced threat actor trying their luck.
- 5ee8500fe1a2f22029908d4e2b32e7fb85aec03ffea714f3b5e82ebb2bc10f21 – TimeTime.exe