Anonymous ransomware is built from the NoCry ransomware builder, based on the infamous WannaCry ransomware. This is evident from the debug string in the discovered sample (C:\Users\Anonymous\Desktop\NoCry Builder + Source Code + Exploit Jpeg\Anonymous Encrypter SCR\ransomeware\obj\Debug\Anonymous.pdb). This ransomware shares similarities with others, such as BlackSkull, GhosHacker, and AzzaSec. There's a direct correlation to AzzaSec in the metadata of that ransomware, suggesting that this is an early iteration of AzzaSec's encryptors. This also indicates that all four of these are related, and our theory is that all of these are early versions of AzzaSec.
The Anonymous ransomware also contains almost all indicators of the XRed Backdoor, such as the C2s:
xred.mooo.com
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/Synaptics.rar
http://xred.site50.net/syn/SSLLibrary.dll
http://xred.site50.net/syn/SUpdate.ini
And the emails:
xredline1@gmail.com
xredline2@gmail.com
xredline3@gmail.com
The XRed Backdoor uses SMTP to send system information to the threat actors.
Executing Anonymous changes the wallpaper background and invokes a modal to instruct the victim. It also drops a traditional ransom note in HTML form—all characteristics of the other ransomware previously discussed. Files are encrypted with AES and have .Anonymous appended to them.
NOTE: There's no evidence this ransomware is related to the Anonymous group.
