Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • WhiteRose is the newest entry in a family of distinctive ransomware attacks with linguistically and thematically peculiar ransom notes.
  • The WhiteRose payload appears to be delivered through unsecured Remote Desktop services, though the exact method is unknown.

The warnings that accompany ransomware informing victims of their situation–and providing instructions to pay for the restoration of files–are usually uninspired, direct pieces of writing replete with warnings about the urgency of paying and the lack of options to recover files without paying. In recent months, a family of ransomware attacks has taken to a somewhat unorthodox way of alerting users.

MalwareHunterTeam recently detailed the WhiteRose ransomware, the most recent in this series of attacks, which is seemingly spread through a vulnerability in Remote Desktop services. The ransomware searches a victim’s computer for files that match a few hundred preselected extensions. It encrypts these files, changes the file name, and appends “_ENCRYPTED_BY.WHITEROSE” to it, according to a tweet by ransomware hunter Michael Gillespie who discovered the ransomware.

Unlike other ransomware, which encrypts drives and prevents Windows from loading, WhiteRose doesn’t target files in folders marked “Windows,” “Program Files,” or “Microsoft,” and also excludes the contents of the Recycle Bin.

Of particular interest, it checks for the existence of a file named “Perfect.sys” at the drive root before encrypting. If it exists, the ransomware stops.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

The ransomware note, seen here on Pastebin, is mystifying, at best. It describes a hacker “sitting on a wooden chair next to a bush tree” with “a readable book” by William Faulkner, in a garden in a remote location. The note continues, “Behind me is an empty house of dreams and in front of me, full of beautiful white roses. To my left is an empty blue pool of red fish [sic] and my right, trees full of spring white blooms.”

The description of the ransomware is similarly oblique:

This time, I will plant all the white roses of the garden to bring a different gift for the people of each country. …You do not need to send letters or e-mails to get these roses. Just wait it tomorrow. Wait for good days with White Rose.I hope you accept this gift from me and if it reaches you, close your eyes and place yourself in a large garden on a wooden chair and feel this beautiful scene to reduce your anxiety and everyday tension.Thank you for trusting me. Now open your eyes. Your system has a flower like a small garden; A white rose flower.

Despite the name, the note seems to have no readily apparent connection to the character in Mr. Robot, or the Nazi resistance movement from 1942-1943. The full text of the ransom note is also available at Bleeping Computer.

Fortunately, security researcher Michael Gillespie claims to be able to decrypt the files (and offers to do so for victims), though is apparently resistant to do a full write up describing the vulnerability lest the authors patch it. Given that the ransomware disables Windows Startup Repair, and deletes shadow volume copies and event logs, this type of restoration would not work.

WhiteRose is seemingly the fourth major variant of this specific family of ransomware. In February, the “Black Ruby” ransomware was discovered. It worked largely identically to the newly-discovered WhiteRose variant, though it included a Monero miner and a grammatically consistent ransom note that frequently featured perplexing word choices, claiming “Our hosts welcome our presence because we will give them a scant souvenir from the heart of Earth,” and “The breadth of this family is not supposed to stop, because we have enough knowledge and you also trust our knowledge. We are always your backers and guardian of your information at this multi-day banquet and be sure that no one in the world can take it from you except for us who extracts this precious stone.” Black Ruby automatically terminates before encryption if it determines that the target computer is in Iran.

Previous variants of this ransomware also include Zenis, and HiddenTear / InfiniteTear, which were discovered in late 2017. All of the variants appear to be propagated through unsecured Remote Desktop services, though the exact attack vector is unknown.