MoneroPay Malware Pretends to Be a Cryptocurrency Wallet

A brand new ransomware malware that is called MoneroPay has been found. Its developer is taking advantage of the cryptocurrency gold rush. MoneroPay impersonates a cryptocurrency wallet to store SpriteCoin. There is no real SpriteCoin for now, it’s a fake.

Gullible crypto-enthusiast rushed to install what looked like a wallet, but once on the machine, it started encrypting all their files.

MoneroPay ransomware appeared first around January 6, 2018. It was listed on the world’s biggest cryptocurrency discussion forum called BitcoinTalk.

The forum thread created in the Altcoin discussion section included a link to a one-page website that briefly explained the essence of SpriteCoin and offered to download its wallet.

Crooks posted their fake offer in a popular place where developers often announce their new cryptocurrencies. It looks like plenty of people started to download the fake wallet. Cryptocurrencies are so hot now. People rush to make as much money as possible through mining these new coins before the difficulty increases. It is important to start mining early.

When installing new wallets, many of active miners disable their antiviruses. A lot of wallets used to trigger quite a few false alerts from AV. It’s OK in this quickly growing industry to trigger antivirus alerts. MoneroPay authors are banking on this fact. Their ransomware got installed quietly. Users were unaware of it until it was late.

Fake Blockchain setup

As with most wallets, if you install it, you need to sync it with the blockchain. Ransomware author used this feature in order to start silently encrypting the files while pretending to be connecting to the blockchain and synchronizing. It’s a perfect cover for any ransomware as both synchronization and file encryption require a lot of processor and memory activity.

Once the so-called blockchain synchronization is over, MoneroPlay locks the screen and shows a ransom note. At this moment, victims realize they have been pawned. MoneroPlay asks for 120 USD ransom to be paid with Monero. It’s a moderate amount of other ransomware strains usually require 1,000 USD or more. Besides file encryption, MoneroPlay steals passwords from web browsers.

Cryptocurrencies are attracting criminals more and more. Wallets get infected, online exchanges get breached, and phishing sites are all over the place.

Crypto-enthusiasts should have a working backup of all files to be restored in case of MoneroPlay or any other desktop or mobile ransomware. All new wallets should be scanned for malware using VirusTotal or similar services. Your antivirus software should include behavioral detection, not just signatures. Don’t click on strange links and be cautious opening email attachments.

Previous coverage on MoneroPay ransomware scam is available here.

David Balaban

David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.