WhiteLock is a ransomware strain that encrypts Windows files, appends the .Fbin extension, creates the c0ntact.Txt ransom note, and changes the desktop wallpaper to pressure victims into paying. It also communicates with external servers, derives victim identification from the MAC address, and terminates AnyDesk and TeamViewer services to block remote response. #WhiteLock #AnyDesk #TeamViewer #c0ntactTxt #Fbin
Keypoints
- WhiteLock is a ransomware family targeting Windows systems with file encryption and ransom demands.
- Encrypted files are renamed with the .Fbin extension, and a ransom note named c0ntact.Txt is created on infected machines.
- The ransomware contacts external servers during execution and uses the victim device’s MAC address, hashed with SHA-256, for identification.
- WhiteLock checks for AnyDesk and TeamViewer, then terminates related services to interfere with remote incident response.
- It uses AES-CBC for file encryption and protects the AES key with RSA-2048 after obtaining a public key from an external server.
- The ransomware excludes system-critical paths, already encrypted files, ransom notes, and security-product-related keywords from encryption.
- AhnLab notes that detection should focus on file encryption behavior, ransom-note creation, service termination, and abnormal external communications.
MITRE Techniques
- [T1041 ] Exfiltration Over C2 Channel – WhiteLock sends the encrypted AES key to an external server during execution, enabling the threat actor to retain control over decryption (‘the encrypted AES key is transmitted to an external server’).
- [T1027 ] Obfuscated Files or Information – It protects the AES key with RSA-2048 and uses a victim-specific hash to manage encryption and identification, making recovery difficult (‘encrypts the previously generated AES key using the RSA-2048 algorithm’).
- [T1489 ] Service Stop – WhiteLock terminates services related to AnyDesk and TeamViewer to block remote administration and incident response (‘it terminates the relevant Services’ and ‘terminating services related to AnyDesk and TeamViewer’).
- [T1486 ] Data Encrypted for Impact – The malware encrypts target files using AES-CBC and appends the .Fbin extension to indicate encrypted data (‘WhiteLock begins the actual file encryption process’ and ‘it appends the .Fbin extension’).
- [T1491.001 ] Defacement: Internal Defacement – It changes the victim’s wallpaper after encryption to display a compromise message and direct the user to the ransom note (‘WhiteLock changes the victim’s device wallpaper’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – The ransom note instructs victims to use a Tor-based negotiation page, showing use of web-based communication for extortion (‘how to access the Tor-based negotiation page’).
Indicators of Compromise
- [File names ] Ransom notes and system-related files excluded or created during infection – c0ntact.Txt, DumpStack.Log.Tmp, and desktop.Ini
- [File extensions ] Encrypted output appended to victim files – .Fbin
- [Folder paths ] Exclusion list for encryption and system-protection targeting – $Recycle.Bin, Windows, and ProgramData
- [Security product keywords ] Exclusion keywords used to avoid interfering with antivirus/security tools – major antivirus and security product names (not specified)
- [Network indicators ] External server communication used for device identification and key handling – external server, Tor-based negotiation page
- [Device identifiers ] Victim identification data collected at runtime – MAC address, SHA-256 hash of the MAC address
Read more: https://asec.ahnlab.com/en/94390/