RIG EK at Drops Ransom Locker

The infection chain started with recreating a portion of a malvertising chain. The malvertising chain redirected the host to a RIG exploit kit landing page. Below is the infection chain:

Traffic (edited)

Infection chain

You can see in the infection chain above that I visited a decoy site. This decoy site contained an iframe pointing to a fake ad domain acting as a gate:

iframe on decoy site

Iframe on decoy site

The fake ad domain, in this case milliption.gdn, returns a pre-filter page that fingerprints the system and then instructs the host to make a POST request for the landing page. To read more about this campaign and the pre-filter page click HERE.

Moving on… We see o32.tmp dropped and executed in %TEMP%, which facilitates the GET request and execution of the payload, pmpp20mo.exe:

For persistence the malware copies itself to %APPDATA% as rocanebeda.exe:

You can also see that this is where the ransom note is stored as both a .bmp and .jpg in %APPDATA% along with FFAEBC00XX.tmp which contains the number +79998373194 found on the ransom notes:

contains number

Checking the registry for persistence shows the following entries in both HKCU Run and RunOnce:

The ransom locker family of ransomware doesn’t actually encrypt user files; however, it is rather annoying as it locks the screen.

Here is an image of my Desktop after the payload was executed:

Dont know

Here is a translation of the text on the ransom note:

Original text (Russian):

ВАШ КОМПЬЮТЕР ЗАБЛОКИРОВАН! Постановление №178-319 от 27 Марта 2017 года Вы оштрафованы на 4200 рублей! ВАШ ID: aed68d54 УСТАНОВЛЕН СИСТЕМОЙ БЕЗОПАСНОСТИ МВД РОССИИ| Вы заблокированы за неоднократное посещение порнографических сайтов, содержащих материалы, запрещенные законодательством РФ, а именно, порнографии с элементами педофилии насилия и пропаганды гомосексуализма. Вам необходимо оплатить штраф согласно постановлению №178-319 от 27 Марта 2017 года в размере 4200 рублей на Федеральный номер QIWI МВД РФ по приему штрафов +79998373194 Оплатить штраф Вы можете в любом терминале оплаты. Для этого в терминале выберите QIWI кошелек » далее пополнение QIWI-кошелька » наберите номер +79998373194 Далее введите комментарий к платежу (указываем номер ID), внесите денежные купюры в приемник в размере 4200 рублей и нажмите оплатить. Также вы можете оплатить штраф-онлайн. Для этого вам нужно зарегистрировать QIWI-кошелек, пололнить его любым удобным для вас способом, и перевести деньги с вашегокошелька на кошелёк, +79998373194ОБЯЗАТЕЛЬНО указав в комментарии ваш ID. После оплаты, в течении часа, система проверит оплату по вашему ID, и разблокирует вашу операционную систему. В случае отказа от оплаты штрафа или попытки самостоятельно снять блокировку без оплаты штрафа, к месту Вашего проживания будет немедленно направлена следственно-оперативная группа для Вашего задержания. Все материалы дела будут переданы в прокуратуру для принятия решения относительно возбуждения уголовного дела по факту совершения преступления предусмотренного ст 242 УК РФ. Срок для оплаты штрафа - 6 часов с момента уведомления.

Translation into English (adapted):

YOUR COMPUTER IS LOCKED! Decree No. 178-319 of 27 March 2017 you are fined 4200 rubles! YOUR ID: aed68d54 INSTALLED BY THE MIA OF RUSSIA SECURITY SYSTEM You are blocked for repeatedly visiting pornographic sites containing materials, Forbidden by the legislation of the Russian Federation, namely, pornography with elements of pedophilia of violence and propaganda Homosexuality. You need to pay a fine in accordance with Resolution No. 178-319 of March 27, 2017 in The amount of 4200 rubles for the Federal Number QIWI of the Ministry of Internal Affairs of the Russian Federation on the admission of fines +79998373194 You can pay the penalty at any payment terminal. To do this, select QIWI purse »more replenishment QIWI-wallet » dial +79998373194 Next, enter a comment for the payment (specify the ID number), enter banknotes into the receiver in the amount of 4200 rubles and click pay. Also you can pay a fine online. To do this, you need to Register QIWI-wallet, polnitit it in any convenient way for you, and transfer money from your wallet to the purse, +79998373194 NECESSARILY indicating in the comments your ID. After payment, within an hour, the system will check the payment for your ID, and unlock your operating system. In case of refusal to pay a fine or attempt to remove the lock yourself without paying a fine, to the place Your residence will immediately be sent to the investigative-operational group for your detention. All The materials of the case will be forwarded to the prosecutor's office to decide on the initiation of a criminal Cases on the fact of committing a crime provided for by Article 242 of the Criminal Code. The period for payment of a fine is 6 hours from the date of notification.

Shout-out to @Amigo_A_ who sent me this translation!

The ransom note image is attempting to social engineer users into believing that this is a warning from the Russian Ministry of Internal Affairs (MIA). It gives the user an ID number (mine was aed68d54) and tells users to pay 4200 rubles at a payment terminal. The number it gives users is +79998373194.

User’s won’t be able to do anything from this screen so don’t even try opening up Task Manager, etc.


Booting the infected system in either Safe Mode or Safe Mode with Networking won’t work as the system immediately locks with the ransom note on the screen. While this is extremely annoying there is hope! I put together a video of how to take back control of your system (see the top of this post).

Sorry for any errors in the video. I kind of rushed to get it done and I’m using a garbage keyboard. I listed out the steps below to get control of your system.

Step 1:

Boot to Safe Mode with Command Prompt

Step 2:

Use these commands to add the following values to the registry:

  • REG ADD HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v DisableCurrentUserRun /t REG_DWORD /d 1
  • REG ADD HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v DisableCurrentUserRunOnce /t REG_DWORD /d 1

Additional commands if the persistence is in HKLM Run and RunOnce:

  • REG ADD HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v DisableLocalMachineRun /t REG_DWORD /d 1
  • REG ADD HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer /v DisableLocalMachineRunOnce /t REG_DWORD /d 1

Step 3 (optional):

Check that the entries are there by using the following command:

  • REG QUERY HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

Step 4:

Use the command to restart the system:

  • shutdown -t 0 -r -f

Step 5:

Remediate the system

Final note:

It looks as if these kind of lockers are making a slight comeback. Here is an article talking about RIG exploit kit dropping a similar locker:




  • – milliption.gdn – Fake ad domain
  • – fast.napadieselguide.com – RIG Exploit kit
  • – GET /l/wal.txt
  • – GET /l/upd.php?ccc=aed68d54
  • – GET /l//default.jpg


  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  • HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce

File System:

  • %TEMP% – C:Users[Username]AppDataLocalTemppmpp20mo.exe
  • %TEMP% – C:Users[Username]AppDataLocalTempo32.tmp
  • C:Users[Username]AppDataRoamingUpd2ExplerSysDrv32Xzrocanebeda.exe
  • %APPDATA% – C:Users[Username]AppDataRoamingFFAEBC00XX.tmp
  • %APPDATA% – C:Users[Username]AppDataRoamingUpd2ExplerSysDrz.bmp
  • %APPDATA% – C:Users[Username]AppDataRoamingUpd2ExplerSysDrz.jpg


SHA256: cb36d55f538f5833fe0bd6e0d279624509b41b0228f60b3031a9d821a9a59cce
File name: Flash Exploit.swf

SHA256: edf9f0c335175d47fa696b29b9cdeb78fd3477b7b59e965749ea203708647742
File name: o32.tmp

SHA256: c39bf6674db6e6a8e16c08ef4ba400aa306c66e4e8c9e378423c5bb6c36f748c
File name: pmpp20mo.exe and rocanebeda.exe
Hybrid-Analysis Report
DeepViz Report

Artifacts are available for download. The folder contains malicious artifacts. PM me on Twitter or send an email to malwarebreakdown@gmail.com if you need the password (its the same that other researchers use):

Malicious Artifacts.zip

I want to thank everyone who responded to my Twitter questions regarding this infection. Until next time!

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: