Overview
This week, the Sonicwall Capture Labs threat research team analyzed a ransomware calling itself Lighter Ransomware. Upon execution, it opens up a window with a countdown timer instructing the victim to reach out immediately before the timer ends – or face greater consequences.
Infection Cycle
The malware arrives as a portable executable that, once executed, immediately displays this warning window.
Figure 1: Lighter ransomware window with countdown.
It lets the user know that they have been infected with ransomware and displays instructions on how to get their files back. Interestingly, this ransomware only asks for $100.
However, most common keyboard shortcuts are blocked, which renders the system unusable once this window is displayed.
Figure 2: Functionality showing keyboard shortcuts being blocked
Common file utilities such as taskmanager, cmd, msconfig, regedit and processxp are blocked.
Figure 3. Functionality showing to kill taskmgr
Files are then simultaneously encrypted using AES encryption, specifically, the RijndaelManaged class, and the malware adds the .L0cked extension to all encrypted files.
Figure 4: AES encryption functionality using the RijndaelManaged class
Figure 5: Encrypted files with the .L0cked file extension
This ransomware targets files with the following file extensions seen in the screenshot below:
Figure 6: File extensions targeted by this ransomware
Unless the user forces a reboot, they will be unable to do most common tasks while the warning window is displayed.
SonicWall Protections
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Lighter.RSM (Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and Capture Client endpoint solutions.
Source: https://blog.sonicwall.com/en-us/2024/03/lighter-ransomware-locks-users-out-of-system/