FANDOM


This article is about the ransomware. For the DOS virus, see Executioner.

Executioner is a ransomware that is based on EDA2, a ransomware building kit that was open-sourced and published on GitHub in late 2015.

Payload

Once the user launches the ransomware's EXE file into execution, the ransomware will look to encrypt the following file types:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, 
.odt, jpeg, .png, .csv, .sql, .mdb, .sln, 
.php, .asp, .aspx, .html, .xml, .psd, .sql, 
.mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, 
.d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, 
.qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, 
.qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, 
.icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, 
.gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, 
.mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, 
.layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, 
.fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, 
.w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, 
.ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, 
.kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, 
.iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, 
.re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, 
.pak, .big, wallet, .wotreplay, .xxx, .desc, 
.py, .m3u, .flv, .js, .css, .rb, .p7c, .pk7, 
.p7b, .p12, .pfx, .pem, .crt, .cer, .der, 
.x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, 
.raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, 
.kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, 
.arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, 
.ai, .eps, .pdf, .pdd, .dbf, .mdf, .wb2, 
.rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, 
.mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, 
.xlsx, .xls, .wps, .docm, .docx, .doc, .odb, 
.odc, .odm, .odp, .ods, .odt, .png, .jpg, 
.rtf, .mpg, .mp3, .png

Files that have been encrypted will have their names appended with a random six-character alphanumeric extension. The encryption routine skips files located in the following folders:

Windows
Program Files
Program Files (x86)

Once the file encryption process ends, the ransomware will download the following image from the Imgim.com image hosting service and set it as the user's desktop wallpaper.

Additionally, the ransomware also drops the following ransom note on the user's desktop. The file is named Sifre_Coz_Talimat.html, which is Turkish for "Instructions for password" (approximate translation).

The ransom note reads:

Oops all of your files Are safely Encrypted!!! "
 
Please Visit any links that given below to read the instructions and 
learn how to Decrypt Your Files!!
 
https://execut2bp3arv6er.onion.rip/
https://executcoe6vxnsw7.onion.rip/
https://execu4d2wasjip5x.onion.rip/
-------------------------------------------------------------------------
-----------------------
 
IF IT DOESN'T WORK TRY THIS!!
 
https://execut2bp3arv6er.onion.cab/
https://executcoe6vxnsw7.onion.cab/
https://execu4d2wasjip5x.onion.cab/
-------------------------------------------------------------------------
-----------------------
 
IF IT DOESN'T WORK AGAIN THEN TRY THIS!!
 
1. Download 'Tor Browser' from https://www.torproject.org/ and install 
it.!
2. OPEN ANY LINK THAT GIVEN BELOW!!!
 
execut2bp3arv6er.onion
executcoe6vxnsw7.onion
execu4d2wasjip5x.onion
-------------------------------------------------------------------------
-----------------------
 
YOUR COMPUTER ID
 
TEST
 
 
-------------------------------------------------------------------------
-----------------------
Tum Dosyalariniz Guvenle Sifrelenmistir! "
 
Lutfen asagida verilen linklerden birini ziyaret ederek dosyalarinizi 
kurtarmak icin TALIMATLARI OKUYUNUZ!!!
 
https://execut2bp3arv6er.onion.rip/
https://executcoe6vxnsw7.onion.rip/
https://execu4d2wasjip5x.onion.rip/
-------------------------------------------------------------------------
-----------------------
 
EGER CALISMAZ ISE ASAGIDA VERILEN LINKLERDEN BIRINE GIRINIZ!
 
https://execut2bp3arv6er.onion.cab/
https://executcoe6vxnsw7.onion.cab/
https://execu4d2wasjip5x.onion.cab/
-------------------------------------------------------------------------
-----------------------
 
EGER YUKARIDAKI VERILEN METHOD OLMADIYSA ASAGIDAKI METHODU DENEYINIZ!!!
 
1. 'Tor Browser'u https://www.torproject.org/ sitesinden indirip kurunuz 
!
2. ASAGIDA BULUNAN LINKLERDEN BIRTANESINE GIRINIZ!!!!
 
execut2bp3arv6er.onion
executcoe6vxnsw7.onion
execu4d2wasjip5x.onion
-------------------------------------------------------------------------
-----------------------
 
KIMLIK NUMARANIZ
 
TEST
 
 
-------------------------------------------------------------------------
-----------------------
 
EXECUTIONER RANSOMWARE

desktop-wallpaper.jpg

The ransom note asks users to visit a Dark Web portal where they will receive more instructions.

This Dark Web ransom payment portal is available in Turkish and English, supporting a claim that the author of this ransomware is of Turkish origin. Furthermore, this portal runs on a modified version of the EDA2 backend panel.

The ransomware doesn't use a C&C server but sends information about infected computers via email to an inbox under the attacker's control.

Executioner will collect data such as the computer name, username, IP address, and decryption key and send it as an email from "executioner.ransom@bk.ru" to "executioner.ransom@protonmail.com."

Community content is available under CC-BY-SA unless otherwise noted.