Threat Research

Ransomware Roundup: New FBI, Wise Guys, and “Pyschedelic” Ransomware

By Shunichi Imano and James Slaughter | October 27, 2022

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within the OSINT community and through our datasets. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This latest edition of the Ransomware Roundup covers a new variant of FBI ransomware as well as the Wise Guys and “Pyschedelic” ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

New Variant of FBI Ransomware

Ransomware variants that pose as law enforcement agencies, such as the Federal Bureau of Investigation (FBI) or Department of Justice (i.e., Reveton 2012), have been around since the dawn of ransomware. Such tactics typically claim that the victim either infringed on a copyright or is in possession of illegal pictures or movies. The typical message claims that the only way out of this serious (but fraudulent) situation is to pay a fine, which is the ransom.

FortiGuard Labs recently came across a new ransomware variant claiming to be from the FBI that follows this same strategy. The ransom message claims that the victim’s files have been encrypted due to illegal content the victim allegedly stored in their machine. 

Figure 1. Ransom message displayed by a new variant of FBI ransomware

Victims are given five attempts to enter an unlock code that can supposedly be obtained after they’ve contacted the “FBI” via email (a Proton email address) and the “fine” is paid. After each failed attempt, an error message is displayed, adding pressure to either pay the fine or be imprisoned.  

Figure 2. Error message on failed unlock attempt

Although the link in the ransom note contains an actual URL referencing the FBI homepage, this is a blatant attempt by the threat actor to compel the victim into paying because, as seen below, this link does not resolve properly:

Figure 3. Page not found error on the alleged case page on the FBI site

While the hosting location has not yet been identified, this FBI ransomware variant appears to be distributed using a file named “PayPal Checker.exe”. PayPal Checker generally refers to a tool that checks the validity of PayPal accounts.

The Wise Guys Ransomware

The Wise Guys ransomware is a destructive malware that deletes files on a victim’s machine. Once the ransomware runs, it deletes all files in the following special folders:

  • MyPictures
  • Desktop
  • MyMusic
  • Personal (this is the same as MyDocuments)
  • StartMenu
  • Favorites
  • Cookies
  • ApplicationData

It then tries to delete those folders as well. The destructive behavior does not end there, as it also erases shadow copies.

Figure 4. Error message displayed upon accessing deleted Documents folder

Although the victim has no way to recover the deleted files, the ransomware drops a few ransom notes named readme.txt, readme.html, and readme.hta. These ransom notes claim that files on the victim’s machine are encrypted, and the only way to get the affected files back is to pay $500 worth of Ethereum for a decryption key. This is obviously a scam to get victims to, unfortunately, pay for unrecoverable files. This ransomware is a good example of why not to pay a ransom to ransomware threat actors, as the ability to recover files is often low.

Figure 5. Ransom note of the Wise Guys ransomware

“Pyschedelic” Ransomware

Like most ransomware, the new “Pyschedelic” variant encrypts files on a victim’s machine and demands a ransom to recover the affected files. (Note that “Pyschedelic” is not a misspelling on our part, it’s the name provided by the attackers.) It leaves a ransom note as a text file, HOW_TO_DECRYPT_FILES.txt.

Figure 6. Ransom note of the “Pyschedelic” ransomware

The ransom note requests the victim to contact the attacker via email. It claims the victim’s files were encrypted using “unknown algorithms.” However, our analysis determined that the ransomware uses the Windows “certutil -encode” command to encode files. This means that these “unknown algorithms” are base64.

The ransom fee is set at $150, which is considered low. That may indicate that this “Pyschedelic” ransomware is targeting consumers rather than enterprises.

Fortinet Protections

Fortinet customers are already protected from these malware variants through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:

FortiGuard Labs detects the ransomware variants covered in this blog with the following AV signatures:

  • MSIL/Filecoder.FG!tr.ransom
  • W32/PossibleThreat
  • PossibleThreat

IOCs

FBI ransomware

  • 3a93a6b9c5f54108dd59e70c0d30c05127c34939aa51526cb844e5aa1d8d7e8b

The Wise Guys ransomware

  • 16b014aa6d0e2293b44a3071c898b9b9080cd1003e86bc32ecc6e45940a67d9f
  • 253bc015093f7282483d9ba36b2afc21111422860ec0e94f5dec6a989a211450

Pyschedelic ransomware

  • 0461298ce2c4d7ea25fea6a68556784bffff8cf703163492efde581ef4b0e354

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact to an organization's reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

To effectively deal with the evolving and rapidly expanding risk of ransomware, organizations will need to make foundational changes to the frequency, location, and security of their data backups. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.