Threat Research

ALC SCAREWARE PRETENDS TO BE A RANSOMWARE – CYFIRMA

Securonix

CYFIRMA researchers identified a sample named ALC Ransomware that masquerades as ransomware but functions as scareware, since it does not encrypt files. The malware locks the screen, disables Task Manager, drops multiple files, and delivers a ransom note while showing indicators that may point to geopolitical motivation; it also uses registry-based persistence and a hardcoded ransom flow. #ALCRansomware #RUS!.txt #Monero #ALCKEY

Keypoints

  • ALC Ransomware is characterized as scareware that does not encrypt files but instead locks the screen and displays a ransom note.
  • It drops several artifacts on the desktop (e.g., AlcDif.exe, RUS!.txt, Pass, Pey, ALCKEY, C.txt) and then executes AlcDif.exe as the payload.
  • The malware disables the Task Manager and uses registry-based mechanisms for persistence (Run keys) to launch at startup.
  • A ransom note is displayed with instructions, including a crypto wallet address and references to a Monero payment (554 XMR) and a Telegram contact that is not actually provided.
  • The sample contains a password check mechanism (hash-based) to re-enable the Task Manager and reads a hardcoded password hash from the Drop file “Pass.”
  • CYFIRMA notes possible geopolitical motivation, with references to Russia and its allies, suggesting potential use by threat groups from nations opposing Russia.

MITRE Techniques

  • [T1129] Shared Modules – Execution (TA0002) – The sample uses a binary that is described as a 64-bit PE executable with a console subsystem during execution. “The binary is 64-bit PE executable having console subsystem.”
  • [T1547.001] Registry Run Keys – Persistence – The method Run which sets a registry value to run file “AlcDif.exe” located on the victim’s desktop when the computer starts up. It creates a subkey called “SoftwareMicrosoftWindowsCurrentVersionRun” under the CurrentUser registry key.
  • [T1112] Modify Registry – Defense Evasion – “This value disables the Windows Task Manager” and the code manipulates Run/DisableTaskMgr to block task termination.
  • [T1056] Input Capture – Credential Access – “the function calculates hash and compares it with hash (2943a567bc05bc66ca6201dbc5f00bec3f774a47b1b94289a2ae8e79834c21a5) present in dropped file “Pass” … If password hashes match then it enables the task manager.”
  • [T1012] Query Registry – Discovery – The code creates a subkey under the CurrentUser registry and interacts with Run/Policies keys (e.g., “SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem”).
  • [T1082] System Information Discovery – Discovery – “The binary is 64-bit PE executable having console subsystem.” (system information disclosed during analysis)
  • [T1490] Inhibit System Recovery – Impact – The malware disables the task manager, locks the screen, and displays the ransom note to inhibit recovery.

Indicators of Compromise

  • [MD5] 3e6d52e151154065eb9da3da48dc7a7d – Sample File (ALC Ransomware)
  • [MD5] b6f780c70f6dd53a28286cf2d23f2359 – AlcDif.exe
  • [MD5] 79058D9B0FDFDADA59C18DF8AC026224 – RUS!.txt
  • [MD5] 7384C4FCCF3818EF77C6188D7104A0B5 – Pass
  • [MD5] 8D1C52CB4E6A5EA02275637D26F90F60 – Pey
  • [MD5] 2B410375146A9BB550EDCA0BAE42A1CB – ALCKEY
  • [MD5] 9A5E23DCC123B4B7526CE1D61DAB6CA4 – C.txt
  • [SHA256] 0ABE1AB9C75395A4CA829028D9C8C6530BD3BFDA49E4B856B6F3539B9AA36EA5 – Password Hash (contents of Pass File)
  • [Text/Key] (ALCKEY contents) – RSA key shown in the dropped ALCKEY file (long RSA key value)
  • [Text/Address] 46yRW1YjGQUgZi2CrrX5ENj9boHWD8VqYJbGyv1f9QgvGuqJfUanwsfEEBuFhu4VqeaQVwqx2ctLPQbFbHjiRCja4cak53o – Crypto Wallet Address

Read more: https://www.cyfirma.com/outofband/alc-scareware-pretends-to-be-a-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint