Tyrant Ransomware Spreads in Iran Disguised as Popular VPN App

CERT-LatestNews ThreatsActivists

The Iran Computer Emergency Response Team Coordination Center (Iran CERTCC) has issued a security alert about a ransomware distribution campaign currently active in the country.

The alert warns users about Tyrant ransomware, a strain spotted by G Data security researcher Karsten Hahn last Monday, October 16.

According to Iran CERTCC, miscreants have spread versions of the Psiphon VPN app laced with Tyrant and are now trying to extort infected users for money.

Tyrant ransom note

Tyrant ransom note

Victims have 24 hours to pay the equivalent of $15. Tyrant distribution specifically targets Iran, as the ransom note is only available in Farsi and the ransomware uses two local payment processors — exchanging.ir and webmoney724.ir.

The Tyrant ransom note also features two contact methods, the email address [email protected] and Telegram username @Ttyperns.

The person behind this attack might not be aware that a cyber-espionage hacking group linked to the Iranian government — codenamed Rocket Kittens — has used a vulnerability to uncover and map out Telegram IDs to users’ phone numbers back in the summer of 2016.

Tyrant ransomware part of the DUMB family

Dumb is also the word of the day when it comes to the Tyrant ransomware because Tyrant is a strain of the larger DUMB ransomware family.

Bleeping Computer founder and analyst Lawrence Abrams first spotted this ransomware in January 2017 and then identified a Polish variant in June 2017.

DUMB was considered a “joke” ransomware because its first variants used simplistic XOR encryption and saved the encryption key inside the encrypted file itself. The first DUMB ransomware version was so poorly coded that it self-decrypted when you closed the window showing the ransom note.

DUMB versions are also based on ransomware proof-of-concept code published on GitHub, later forked by others.

Researchers investigating if Tyrant is decryptable

Besides translating the ransom note to Farsi, the Tyrant ransomware appears to have suffered little modifications from its original source. Security expert MalwareHunter is currently investigating if Tyrant is decryptable in the same way as previous DUMB-based variants.

“A joke ransomware, without any protection (I mean obfuscation, pack, etc) used in live attack? Made my day,” MalwareHunter jokingly told Bleeping Computer today.

Iran CERTCC analysts also spotted the same low coding quality. “Initial analysis suggests that this is the first version, or trial, of a larger attack because despite the encryption operation, sometimes the [ransomware] does not succeed in encrypting victim files, and moreover, despite the fact that there are many changes in the victim’s system registry, it is not able to maintain its functionality after rebooting the system,” the Iran CERTCC alert reads.

Besides the Tyrant ransomware alert, Iran CERTCC also issued a warning on the increased usage of RDP connections with weak credentials to install ransomware. Even if issued by Iran CERTCC, this warning should be heeded by organizations in all countries, as RDP has become a favorite method of installing ransomware in high-value enterprise environments across the world.