Originally Seen: Bleepingcomputer.com on September 2, 2018 by Lawrence Abrams
Every once in a while you come across a really strange malware and such is the case with a new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a “tip” to decrypt the files.
First tweeted by MalwareHunterTeam, this ransomware has the bizarre title of “Barack Obama’s Everlasting Blue Blackmail Virus” as shown by the file properties below.
When executed, this ransomware will terminate various processes associated with antivirus software such as Kaspersky, McAfee, and Rising Antivirus . The commands executed to kill the processes are:
taskkill /f /im kavsvc.exe taskkill /f /im KVXP.kxp taskkill /f /im Rav.exe taskkill /f /im Ravmon.exe taskkill /f /im Mcshield.exe taskkill /f /im VsTskMgr.exe
It will then scan the computer for .exe files and encrypt them. When encrypting files, it will target all .EXE files, even those that are located under the Windows folder. Other ransomware in the past that encrypted executables typically avoid the Windows folder so that it does not cause problems with the proper execution of the operating system.
As part of the encryption process, this ransomware will also modify the Registry keys associated with .exe files so that they use a new icon and run the virus every time someone launches an executable. The modified keys are listed below.
HKLM\SOFTWARE\Classes\exe HKLM\SOFTWARE\Classes\exe\ HKLM\SOFTWARE\Classes\exe\EditFlags 2 HKLM\SOFTWARE\Classes\exe\DefaultIcon HKLM\SOFTWARE\Classes\exe\DefaultIcon\ C:\Users\User\codexgigas_.exe,0 HKLM\SOFTWARE\Classes\exe\Shell HKLM\SOFTWARE\Classes\exe\Shell\Open HKLM\SOFTWARE\Classes\exe\Shell\Open\Command HKLM\SOFTWARE\Classes\exe\Shell\Open\Command\ "C:\Users\User\codexgigas_.exe" "%1"
The message in the ransomware interface states that users should contact the attacker at the email@example.com for payment instructions.
Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it. So you can decrypt it, but you have to tip it. This is a big thing. You can email this email: firstname.lastname@example.org gets more information.
It is unknown how this ransomware is distributed or if the developer will even provide a decryption key if paid.
Obama is not the only President to have had a ransomware created after him. Prior to the 2016 United Stated presidential election, the The Donald Trump Ransomware was released.
The Trump Ransomware was a development version that had built-in decryption.