In an unexpected twist, the developer of a recently uncovered Exotic ransomware made contact with the research team which discovered his creation. The coder revealed himself as German developer EvilTwin, alias Exotic Squad, to the security analysts.
Exotic ransomware was spotted on October 12 by MalwareHunterTeam. The virus was found to be a trivial win-locker which encrypts files, creates a ransom note and demands a payment to decrypt the infected data.
While a ransomware program does not need to have special functions to be effective, it does require a strong code to withstand cracking techniques. In this instance, the research team concluded that the virus is not advanced enough to be an actual threat.
The researchers of MalwareHunterTeam detected Exotic ransomware on October 12. They did what they usually do when finding a new win-locker virus. They shared their discovery on Twitter to warn people about the threat. The news item included a video of the program’s infection pattern on a PC.
The reaction of Exotic’s creator made for an interesting news story. Ransomware developers dread it when security researchers intervene in their business. This often leads to their program being cracked. The experts at MalwareHunterTeam were astonished when they received a friendly message from the person behind Exotic ransomware. The developer thanked the team for taking the time to analyze his creation and make a video about it. He showed interest in keeping contact with the researchers, as he offered to add them on Skype.
The surprisingly positive attitude of Exotic Squad corresponded to the eagerness he showed towards improving his craft. The developer went on to release two updates. Exotic 2.0 and Exotic 3.0 were published on October 13 and October 14, accordingly. The three versions appeared only a day apart from each other. The analyses revealed that the updates to the original Exotic 1.0 were insignificant.
Exotic ransomware in a nutshell
The win-locker follows a traditional pattern. Exotic encrypts files using the AES-128 algorithm. The program creates a ransom note to state its demands which are a payment of $50 USD. This is a small amount, compared to the average sum ransomware programs ask for. Exotic requires victims to pay through bitcoins. The purpose of this method is anonymity. The bitcoin cryptocurrency allows people to make online transactions without revealing their personal details. Of course, anonymity is now out the window as it goes for Exotic.
The program appends a couple of additional changes to the targeted files. It generates a random name for them and replaces their original file extension with the .exotic suffix.
The developer of Exotic seems to be an avid ransomware fan. He appears to have adopted a couple of traits from two other win-lockers. The background of the program’s ransom note is an image of Hitler. Another win-locker which was released in August uses an image of the same historical figure for its note. The program is actually called Hitler ransomware.
The other composition the creator of Exotic has borrowed is a lock screen design. It is similar to the screen, used by Jigsaw ransomware.
The only distinctive characteristic of Exotic is a bug in the encryption process. The program targets some folders multiple times. At first, analysts got the impression that the virus continued scanning the computer for new files, as some win-lockers do. They later discovered that the bug was the reason for the system slowing down. This further proves that the creator of Exotic is not an experienced coder.