Barack Obama’s Blackmail Virus Ransomware Only Encrypts .EXE Files

Posted on

Originally Seen: on September 2, 2018 by Lawrence Abrams

Every once in a while you come across a really strange malware and such is the case with a new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a “tip” to decrypt the files.

Barack Obama's Everlasting Blue Blackmail Virus Ransomware
Barack Obama’s Everlasting Blue Blackmail Virus Ransomware

First tweeted by MalwareHunterTeam, this ransomware has the bizarre title of “Barack Obama’s Everlasting Blue Blackmail Virus” as shown by the file properties below.

File Properties
File Properties

When executed, this ransomware will terminate various processes associated with antivirus software such as Kaspersky, McAfee, and Rising Antivirus . The commands executed to kill the processes are:

taskkill /f /im kavsvc.exe
taskkill /f /im KVXP.kxp
taskkill /f /im Rav.exe
taskkill /f /im Ravmon.exe
taskkill /f /im Mcshield.exe
taskkill /f /im VsTskMgr.exe

It will then scan the computer for .exe files and encrypt them. When encrypting files, it will target all .EXE files, even those that are located under the Windows folder. Other ransomware in the past that encrypted executables typically avoid the Windows folder so that it does not cause problems with the proper execution of the operating system.

Encrypted Executables
Encrypted Executables

As part of the encryption process, this ransomware will also modify the Registry keys associated with .exe files so that they use a new icon and run the virus every time someone launches an executable. The modified keys are listed below.

HKLM\SOFTWARE\Classes\exe\EditFlags	2
HKLM\SOFTWARE\Classes\exe\DefaultIcon\	C:\Users\User\codexgigas_.exe,0
HKLM\SOFTWARE\Classes\exe\Shell\Open\Command\	"C:\Users\User\codexgigas_.exe" "%1"

The message in the ransomware interface states that users should contact the attacker at the for payment instructions.

Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.
So you can decrypt it, but you have to tip it. This is a big thing. You can email this email: gets more information.

It is unknown how this ransomware is distributed or if the developer will even provide a decryption key if paid.

Obama is not the only President to have had a ransomware created after him. Prior to the 2016 United Stated presidential election, the The Donald Trump Ransomware was released.

The Trump Ransomware was a development version that had built-in decryption.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s