With all the buzz around tonight's Presidential Debate between Hillary Clinton and Donald Trump, I decided to see if I could find any malware based around these polarizing candidates. Though I did not find anything related to Hillary Clinton, I did stumble upon a development version of the Donald Trump Ransomware.

Donald Trump Ransomware
Donald Trump Ransomware

The Donald Trump Ransomware is currently in development and as it was first compiled over a month ago, there is a good chance that it will never be actively distributed. Though the ransomware does contain functions to encrypt files using AES, in its current form it does not actually encrypt anything.

Instead it will look for files in the encrypt folder and base64 encode the file names and then append the .ENCRYPTED extension to any files that match certain file extensions. The extensions targeted by this program are:

.zip, .mp3, .7z, .rar, .wma, .avi, .wmv, .csv, .tax, .sidn, .itl, .mdbackup, .menu, .icarus, .litemod, .sav, .lvl, .raw, .flv, .m3u, .xxx, .pak, .jpg, .png, .docx, .doc, .ppt, .odt, .csv, .jpeg, .psd, .rtf, .cfg,  Minecraft,  alts.json, .wolfram, .dat, .dat_mcr, .mca, .Ink, .pub, .pptx, .php, .html, .yml, .sk, .txt, .mp4, .vb, .swf, .ico, .xcf,  bukkit.jar, .log, .sln, .ini, .dll, .xml, .tex, .assets, .resource, .java, .js, .css, .gif,

In this version you can simply click on the Unlock button to have the files renamed to their original filenames.

While, I did not find any serious infections corresponding to these candidates, I urge everyone to be extra careful with any email attachments they receive during the election. It is very common for malware developers to send malware attachments disguised as content related to the current news.

Files associated with the Donal Trump Ransomware:

CRPT-TRX.exe

IOCs:

SHA256: 4cea9dbc941756f7298521104001bc20cb73cfdda06a60a9e90760188661f5e4