New ransomware dubbed MoneroPay targets crypto-fans, impersonates wallet

Crypto-fans are now being targeted by MoneroPay, a new ransomware released in a thread discussing altcoin on popular crypto forum BitcoinTalk on Jan. 6. Posing as a wallet for the SpriteCoin cryptocurrency, enthusiasts rushed to download it in the desire to make a lot of money fast.

The authors of the ransomware took advantage of the surge in interest in cryptocurrency to target some tech-savvy users. These wallets are often reported by security solutions so many users have made a habit of disabling the solution to minimize false positives.

The hackers behind MoneroPay exploited this practice and created the malware to perfectly impersonate a regular installation. Once MoneroPay was installed on their devices, it started collecting user data and passwords saved in Firefox and Chrome. The data is sent to a C2 server.

The victims figured out they were dealing with ransomware after full sync with the blockchain was completed and an announcement appeared that their data is encrypted.

According to BleepingComputer, the ransomware encrypts files with extensions affiliated with programing languages such as txt, doc, rtf, cpp, tcl, html, ppt, docx, xls, xlsx, pptx, key, pem, psd, mkv, mp4, ogv, zip, jpg, jpeg, work, pyw, hpp, cgi, rar, lua, img, iso, webm, jar, java, class, one, htm, css, vbs, eps, psf, png, apk, ps1, wallet.dat. MoneroPay adds the .encrypted extension to the infected files.

Even though crypto-fans are usually tech savvy, malware developers collect insights from multiple threads on the forum, and elsewhere, to take advantage of their weaknesses. This is precisely why they need to take extra security measures such as keeping regular backups of their data so it can be restored if encrypted or lost, and using a virtual machine to scan files before download to ensure they’re not malware.

Leave a Reply