LTS Secure Warning: iCoreX back with RedEye Ransomware

In the latest discovery, it was found that the organization iCoreX responsible for creating Anabelle and JigSaw Ransomware has developed a RedEye Ransomware. This Ransomware spread via spam mail and targets victim’s system to encrypt data and demand ransom amount in BTC. Also, RedEye destroys user’s files if there is no purpose for financial gain.

Technical Details

According to the report, Once the user system is compromised, RedEye deliver its malware via a large size file, which is about 35 MB and contain images and audio files, embedded in the binary. A dropped file contains 3 “.wav” files child.wav, redeye.wav, and suicide.wav that plays a “creepy” sound.

The malware author used ConfuserEx and compression along with a few other tricks to protect the binary. Once installed on a victim’s system, the Ransomware performs a series of actions to make its removal process difficult including disabling Windows Task Manager and hiding within the infected machine’s drives. After the malware takes control of your system, then it encrypts the files using AES 256 encryption algorithm and converts them into. RedEye extension. On completion of the encryption process, it displays a ransom note on the victim’s system screen. RedEye warning note features four options that include:

  • Viewing the encrypted files,
  • Decrypt the encrypted files,
  • Get support or destroy your PC.
  • A GIF image with two functions “Do it” or “Close the image”.

If a user selects the ‘Do it’ option, the malware reboots the machine and replaces the MBR (Master Boot Record). When the victim’s powers up the system, they are greeted with a message that says.

RedEye has terminated your computer,” along with the signature of the ‘iCoreX’ malware author.

Impact

Apart from encrypting data, RedEye will disable Windows Task manager, hides computer drives, modifies or create new Windows registry keys, disables computer’s security, modifies Image File Execution registry or makes your programs unresponsive.

Recommended Actions

You can recover encrypted files and may be able to restore the MBR, if you catch the Ransomware in the act, and shut down the machine at that point. Reboot in safe mode and copy over or backup your files. If tools such as the registry editor are not working, run Rkill in safe mode first. Then, Restore the MBR, and reinstall Windows. You may also try to restore the MBR first, and consequently attempt to restore files using Shadow Volume Copies. For example, a tool such as Shadow Explorer can be of assistance or read the tutorial here.

If that doesn’t work either, you may try using a data recovery program such as PhotoRec or Recuva.

Best way to remove RedEye Ransomware from the system and recover your locked files, click on link Guidelines to remove RedEye Ransomware.