Ransomware - LeakThemAll

LeakThemAll
Aliases
LeakTheMall
Decryptor Available
No
Description

Is it LeakThemAll or LeakTheMall? Considering the ransomware is named in all lowercase letters, the world may never know what it's truly called. If the victim(s) were all shopping malls, then maybe it's the latter. However, we are assuming the ransomware is the former -  LeakThemAll. This ransomware first appeared on Amigo-A's Crypto-Ransomware Digest on September 2, 2020, and, thus, is credited with its discovery. A few researchers claim to have observed variants of LeakThemAll with encrypted files appended with .beijing and .montana. However, we disagree with these assertions as those ransomware samples showed little resemblance to LeakThemAll. The encryption mechanism is vastly different and uses different cryptography libraries, the ransom notes are different, and the communication mechanisms - all use email - show little similarities. Amigo-A's Crypto-Ransomware Digest labels these variants as BeijingCrypt, and we agree with that.

LeakThemAll shares the characteristics of a typical crypto-ransomware. It encrypts files and appends a file extension onto the encrypted files (<file name>.crypt) and drops a ransom note (ReadMe.txt) asking victims to contact the ransomware operators to negotiate for the decryption of files (leakthemall@protonmail[.]com). A unique characteristic of this ransomware is the mechanism it uses to encrypt files. It uses an open-source command line file encryption tool called Lockdown. Lockdown was created in 2019 and written in GoLang by a GitHub user named raz-varren. This encryption tool uses a combination of AES, HMAC-SHA-512, Argon2, and another open-source tool on GitHub called Memguard that secures data in memory. If you're reading this, it's very likely you won't have to worry about this ransomware infecting your network as it appears to be a "one and done."

Ransomware Type
Crypto-Ransomware
First Seen
Last Seen
Extortion Types
Direct Extortion
Communication
Medium
Identifier
Encryption
Type
Other
Files
Lockdown
File Extension
<file name>.crypt
Ransom Note Name
ReadMe.txt
Ransom Note Image
Samples (SHA-256)
f8766ecc7775a6b14e6e46ef1e162cb609179c7a44e39a393c8fcd2ef0cd8ff0
References & Publications
The Crypto-Ransomware Digest: leakthemall