Bitcoin Ransomware Education – Spectre

Not a week goes by without security researchers coming across a new type of ransomware. That is not entirely surprising, considering ransomware has been a lucrative business for cybercriminals. Spectre is a new type of malicious software which appears to be in “testing mode” right now. However, researchers have discovered it is quite a sophisticated piece of malware which could end up doing a ton of damage.

Spectre Ransomware Is Preparing for a Global Campaign

It is always somewhat disconcerting to see a new type of ransomware being “tested” by developers. One never thinks about how developers can effectively test such a piece of malicious software, even though it is absolutely necessary to do exactly that. Spectre is a newly discovered type of malicious software which will start making the rounds at some point in the near future. It is unclear when this will happen exactly, though.

Careful analysis of the Spectre ransomware sample reveals some interesting facts. It is evident the people – or team – responsible for creating this malicious tool have come up with a very sophisticated threat. We have seen quite a few different ransomware threats over the past few years, yet it appears Spectre will be a force to be reckoned with. As one would expect, the malware will communicate with a command & control server, which is hosted on a Russian domain right now.

Once this communication protocol has been established, the server will respond back with a unique Bitcoin address and a public key used to encrypt the victim’s computer files. For the time being, there is no way to properly decrypt these files with a free tool. Nor is it possible to restore file access from a backup, as Spectre will delete all shadow volume copies it comes across. This is a rather common trait of ransomware these days, as criminals want to prevent users restoring files without paying the Bitcoin ransom.

For the time being, it appears Spectre will only target a small selection of files, rather than going virtually everything it comes across. Considering how this malware is still in the early stages of development, it is possible this list of file extensions will be expanded upon by the time the ransomware enters its “live” stage. All files are encrypted using AES encryption and will be renamed to the “.spectre” file extension. The number of files encrypted will be communicated to the command & control server as well.

The ransom note associated with Spectre is also rather brief, as it contains all but four lines. However, one thing that stands out is how Spectre redirects victims to a dedicated payment site, rather than just displaying a payment address. A lot of new ransomware types have removed this functionality, for some unknown reason. Spectre victims are asked to visit a Tor-hosted payment site, where they will need to log in using the unique ID found in the ransom note. It appears the current ransom amount is $200, although this may be subject to change as well.

Even though Spectre appears to be ripe for distribution, it remains to be seen if the developers will bring it in circulation in the end. Just because these samples are discovered does not mean they will become an actual threat anytime soon. Rest assured researchers will keep an eye on any Spectre-esque type of ransomware they come across moving forward. We can only hope the researchers will also be able to develop a free decryption tool, just in case this ransomware ever becomes a global threat.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.