Is it LeakThemAll or LeakTheMall? Considering the ransomware is named in all lowercase letters, the world may never know what it's truly called. If the victim(s) were all shopping malls, then maybe it's the latter. However, we are assuming the ransomware is the former - LeakThemAll. This ransomware first appeared on Amigo-A's Crypto-Ransomware Digest on September 2, 2020, and, thus, is credited with its discovery. A few researchers claim to have observed variants of LeakThemAll with encrypted files appended with .beijing and .montana. However, we disagree with these assertions as those ransomware samples showed little resemblance to LeakThemAll. The encryption mechanism is vastly different and uses different cryptography libraries, the ransom notes are different, and the communication mechanisms - all use email - show little similarities. Amigo-A's Crypto-Ransomware Digest labels these variants as BeijingCrypt, and we agree with that.
LeakThemAll shares the characteristics of a typical crypto-ransomware. It encrypts files and appends a file extension onto the encrypted files (<file name>.crypt) and drops a ransom note (ReadMe.txt) asking victims to contact the ransomware operators to negotiate for the decryption of files (leakthemall@protonmail[.]com). A unique characteristic of this ransomware is the mechanism it uses to encrypt files. It uses an open-source command line file encryption tool called Lockdown. Lockdown was created in 2019 and written in GoLang by a GitHub user named raz-varren. This encryption tool uses a combination of AES, HMAC-SHA-512, Argon2, and another open-source tool on GitHub called Memguard that secures data in memory. If you're reading this, it's very likely you won't have to worry about this ransomware infecting your network as it appears to be a "one and done."