CuteRansomware targets Windows OS and is based on source code from a publically available ransomware module called “my-Little-Ransomware,” posted on the open-source Git repository, GitHub. It is distributed via Google Docs, although it could easily be modified to spread via other cloud apps and platforms. CuteRansomware uses Google Docs to deliver malicious files to victims and as a C2 server, storing encryption keys and data exfiltrated from victims’ machines. This distribution method bypasses network firewalls and intrusion prevention systems as data is transmitted over SSL due to Google Docs use of HTTPS. CuteRansomware is also difficult to block because the only way to avoid it is to block the specific instance of the app containing the malware. Currently, this variant looks to be specifically targeting Chinese victims, as affected files are appended with the Chinese translation for “.encrypted” and notes within the code are written in Chinese. The ransom payment demand for CuteRansomware is currently unknown.
- Netskope provides more information about cureRansomware here.
- The NJCCIC is not currently aware of any decryption tools available for cuteRansomware.