Researchers have uncovered a new ransomware strain dubbed as ELPACO-team, designed to both encrypt and rename files.
Once encryption is done, it appends the “.ELPACO-team” extension to each file. ELPACO-team also displays a ransom note on the pre-login screen, alerting victims before they access their system. The ransomware generates a text file titled “Decryption_INFO.txt,” which contains the same ransom note, instructing victims on how to proceed with payment for decryption.
Key feature set of the ransomware
- This ransomware targets Windows Operating System, which is prevalent across numerous industries and organizations.
- Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. The ransomware uses this technique to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
- Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
- The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.
The ransom note from the ELPACO-team ransomware informs victims that their files have been encrypted due to a security vulnerability. It includes a decryption ID and instructs the victim to purchase both a decryption tool and a unique key to recover their files.
Scanning files with antivirus software could lead to data loss, ransomnote warns. It also cautions against renaming encrypted files or using third-party decryption tools, as this may result in permanent loss of data.
Victims are directed to contact the attackers via email or Telegram. Additionally, the note suggests that quicker communication with the attackers could lead to more favorable terms for decryption.
Known Indicators of Compromise (IoCs)
Based on the information provided about the ELPACO-team ransomware, here are the key IoCs that can be identified:
- File Indicators:
- Encrypted File Extension: Files have the “.ELPACO-team” extension appended to their original filenames.
- Ransom Note Filename: A text file named
Decryption_INFO.txtcontaining ransom instructions is left on the system.
- System Indicators:
- Pre-login Screen Message: Displays a ransom note on the pre-login screen, informing victims before they access the system.
- Communication Indicators:
- Email Address: The attackers use the email
derick_btc@tuta.iofor communication. - Telegram Contact: The attackers instruct victims to contact them via Telegram at
@DataSupport911.
- Email Address: The attackers use the email
- Behavioral Indicators:
- File Encryption: Encrypts files using sophisticated algorithms and renames them with the “.elpaco” extension.
- File Renaming: Files are renamed by appending the “.ELPACO-team” extension.
- Detection Names:
- Win32[Trj]
- Application.Agent.KVJ
- UDS.Win32.Generic
- Program/Wacapew.C!ml
- Target System: Ransomware primarily targets Microsoft Windows systems
