Android/LycorisRadiata.A!tr.ransom

Analysis

Android/LycorisRadiata.A!tr.ransom is a generic detection for a Ransomware trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is a variant of WannaCry Ransomware that targets Android devices.


• The Ransomware creates a QR code that when scanned, allows the user to pay the ransom with one of the types messenger applications listed below:
  
  • Alipay
  • Wechat
  • QQ-Chat
  
  
• The Ransomware will attempt to connect to the URL http://biaozhunshijia{Removed}.51240.com.


• The Ransomware displays a countdown and alerts the user that they must pay before the countdown finishes or the ransomware will begin to delete files.


• The Ransomware uses a the Advanced Encryption Standard (AES) with Cipher Block Chaining as its encryption method.


• The Ransomware attempts to decrypt the following:
  • Generic filetypes
  • Files with the following keywords included in the filename:
    • android
    • com.
    • miad
    • baidunedisk
    • download
    • dcim


• Below is an illustration of the malware's Ransom notes:
  

  Figure 1: The message that the ransom note displays.

  
  

  Figure 2: Alerting the user that the countdown is over and a file will be deleted.

  
  

  Figure 3: Code showing that the Ransomware attempts to establish a connection to a URL.

  
  

  Figure 4: Code showing that the Ransomware creates a temporary chatroom and displaying the types of payment methods.

  
  

  Figure 5: The Ransomware code for searching files to encrypt.

  
  

  Figure 6: Ransom note.

  
  

  Figure 7: Background wallpaper of the affected Device.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.