![]() A ransom demand message is styled using the “Los Pollos Hermanos” branding image found in Breaking Bad, with part of the email address used in the demand – “I am the one who knocks” – based on a quote by central character Walter White. Symantec states it believes that the ransomware employs social engineering techniques as a means of infecting victims’ computers, with the malware arriving through a malicious zip archive, using the name of a major courier firm in its file name. This zip archive contains a malicious file called “PENALTY.VBS”, which, when executed, downloads the ransomware, also downloading and opening a legitimate pdf file, tricking users into believing the initial zip archive was not malicious. “Based on our initial analysis, the threat appears to be using components or similar techniques to an open source penetration-testing project, which uses Microsoft PowerShell modules,” Symantec stated. “This allows the attackers to run their own PowerShell script on the compromised computer to operate the crypto ransomware.” The malware encrypts files using a random Advanced Encryption Standard key, which is then encrypted with an RSA public key so that victims can only decrypt their files by obtaining the private key from the attackers. The ransom demand links to a legitimate video tutorial on how to obtain Bitcoins, which the attackers did to assist victims to pay the ransom, Symantec stated, with the threat also opening another YouTube video in the background, of a song used in a fictional radio station in the game Grand Theft Auto V, which Symantec noted some fans believe is a shout-out to Breaking Bad. |