{"id":3360,"date":"2024-10-15T07:12:54","date_gmt":"2024-10-15T07:12:54","guid":{"rendered":"https:\/\/lmntrix.com\/blog\/?p=3360"},"modified":"2025-07-29T07:02:46","modified_gmt":"2025-07-29T07:02:46","slug":"the-grinch-is-now-stealing-christmas-with-festive-ransomware","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/the-grinch-is-now-stealing-christmas-with-festive-ransomware\/","title":{"rendered":"The Grinch is now stealing Christmas with festive ransomware\u00a0"},"content":{"rendered":"
\n
\"The<\/figure>\n<\/div>\n\n\n

With only a few days until Christmas, hackers are getting in on the season of giving, packaging and distributing a present no one wants to receive \u2013 ransomware.\u00a0

The malware, named \u201cChristmas Ransomware\u201d, demands a ransom of 0.03 bitcoins (currently equivalent to about USD$500) for files to be restored.

According to analysis (further below) the ransomware was developed on November 5 this year, and since then has been targeting users in English speaking countries.

This clandestine Christmas package is delivered to users via spam emails with malicious attachments.

Static and Dynamic Analysis<\/strong>

File details:

MD5: 576BB539C75A587A4F88CBEF2D6A34DA

Size: 4127 KB (4.02 MB)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1 File compiled using .NET<\/em>

Compiler: .NET\u00a0

TimeDateStamp: Sun Nov 05 23:10:00 2017.\u00a0

Filename: Christmas.exe

Debugged filename: Christmas.pdb\u00a0

Below, we\u2019ve highlighted strings in the file which underscore its malicious nature \u2013 these include EncrpytFile, get_MachineName, and CreateDecryptor:\u00a0<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2 Interesting strings<\/em><\/p>\n\n\n\n

The ransomware targets most user files \u2013 a complete list of extensions is below:<\/p>\n\n\n\n

.png .3dm .3g2 .3gp .aaf .accdb .aep .aepx .aet .ai .aif .arw .as .as3 .asf .asp .asx .avi .bay .bmp .cdr .cer .class .cpp .cr2 .crt .crw .cs .csv .db .dbf .dcr .der .dng .doc .docb .docm .docx .dot .dotm .dotx .dwg .dxf .dxg .efx .eps .erf .fla .flv .idml .ifp .indb .indd .indl .indt .inx .jar .java .jpeg .jpg .kdc .m3u .m3u8 .m4u .max .mdb .mdf .mef .mid .mov .mp3 .mp4 .mpa .mpeg .mpg .mrw .msg .nef .nrw .odb .odc .odm .odp .ods .odt .orf .p12 .p7b .p7c .pdb .pdf .pef .pem .pfx .php .plb .pmd .pot .potm .potx .ppp .ppj .pps .ppsm .ppsx .ppt .pptm .pptx .prel .prproj .ps .psd .pst .ptx .r3d .ra .raf .rar .raw .rb .rtf .rw2 .rwl .sdf .sldm .sldx .sql .sr2 .srf .srw .svg .swf .tif .vcf .vob .wav .wb2 .wma .wmv .wpd .wps .x3f .xla .xlam .xlk .xll .xlm .xls .xlsb .xlsm .xp .xlt .xltm .xltx .xlw .xml .xqx .zip.mp3 .mp4 .txt .greenfoot .7z .html .bat .webmaf .rar .raw .rb .rtf .rw2 .rwl .sdf .sldm .sldx .sql .sr2 .srf .srw .svg .swf .tif .vcf .vob .wav .wb2 .wma .wmv .wpd .wps .x3f .xla .xlam .xlk .xll .xlm .xls .xlsb .xlsm .xp<\/p>\n\n\n\n

Code Analysis and Execution<\/strong><\/p>\n\n\n\n

With the help of reversing tools, we unpacked some of the file resources, such as icons and background images:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 3 Icon resource resembling decoration<\/em><\/p>\n\n\n\n

Below is the ransom note as displayed on the victim\u2019s screen:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 4 Background image- Christmas Ransomware<\/em>

The ransomware uses AES 256 bit encryption. This class of encryption is widely considered \u2018uncrackable\u2019 and is the same cipher used in Secure Sockets Layer (SSL) and Transport Layer Security (TLS) \u2013 this process is outlined below:<\/p>\n\n\n\n

    public class AES
    {
        public static byte[] generateKey()
        {
            RijndaelManaged rijndaelManaged = new RijndaelManaged
            {
                KeySize = 256
            };
            rijndaelManaged.GenerateKey();
            return rijndaelManaged.Key;
        } <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

The created key is then used to encrypt the victim\u2019s files:

ICryptoTransform cryptoTransform = rijndaelManaged.CreateDecryptor(key, key);

return cryptoTransform.TransformFinalBlock(byte_ciphertext, 0, byte_ciphertext.Length);<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 5 Creating encryptor key<\/em>

After creating the encryption key, Christmas Ransomware fetches the file list so it knows which files to encrypt. To do that, this ransomware uses a class called CryptoMod which contains functions to encrypt files, setting parameters for target file names, and the generated encryption key:<\/p>\n\n\n\n

        internal static void encryptFile(string fullName, byte[] aesKey)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

This class will be used in the upcoming code \u2013 see below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 6 File encryption code<\/em><\/p>\n\n\n\n

Here we see the ransomware is also known as \u201ccuteRansomware\u201d, suggesting the authors are connected to both strains. cuteRansomware is an interesting case itself as it uses Google Docs to host decryption keys and CnC infrastructure.<\/p>\n\n\n\n

After further analysis, we discovered three text files inside the code which store the ransomware\u2019s execution attributes: <\/p>\n\n\n\n

\u2022    sendback.txt, <\/p>\n\n\n\n

\u2022    secret.txt, <\/p>\n\n\n\n

\u2022    secretAES.txt. <\/p>\n\n\n\n

Below, we can see how Christmas Ransomware uses hta (html application) to write the registry entries: <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 7 Important text files, registry key using HTA<\/em><\/p>\n\n\n\n

We then searched for the extension the ransomware adds to encrypted files, and found \u201c.adr\u201d replaces legitimate extensions. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 8 File extension added to the encrypted files<\/em><\/p>\n\n\n\n

IOC details<\/strong><\/p>\n\n\n\n

File name: Christmas.exe<\/p>\n\n\n\n

pdb string details: Christmas.pdb<\/p>\n\n\n\n

file extension: .adr <\/p>\n\n\n\n

Registry entry created: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnceadr.<\/p>\n\n\n\n

Conclusion<\/strong><\/p>\n\n\n\n

As much as we all love receiving Christmas presents, this is one you don\u2019t want to unwrap.  <\/p>\n\n\n\n

As always, the best mitigation against ransomware is to keep regular back-ups of your files so you can restore to previous versions in the event of an infection. Also, keep software patched and up-to-date, and never open attachments from suspicious sources. <\/p>\n","protected":false},"excerpt":{"rendered":"

With only a few days until Christmas, hackers are getting in on the season of giving, packaging and distributing a present no one wants to receive – ransomware.  The malware, named “Christmas Ransomware”, demands a ransom of 0.03 bitcoins (currently equivalent to about USD$500) for files to be restored. According to analysis (further below) the […]<\/p>\n","protected":false},"author":1,"featured_media":2794,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-3360","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/3360","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=3360"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/3360\/revisions"}],"predecessor-version":[{"id":4360,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/3360\/revisions\/4360"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2794"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=3360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=3360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=3360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}