MoneroPay targets Windows OS and was initially distributed on the BitCoinTalk Forum through malicious links in posts advertising a digital wallet for a supposedly new cryptocurrency called SpriteCoin. In reality, though, SpriteCoin is a fictional cryptocurrency conjured up by those behind this ransomware campaign for the purpose of tricking cryptocurrency enthusiasts and investors into installing the ransomware. The posted links led to a website that enticed users running Windows OS to download a free wallet. If users downloaded and installed the file from the link, the malware would display a wallet set-up screen and pretend to establish a connection to a SpriteCoin blockchain. However, the ransomware MoneroPay would then run in the background and encrypt files on the system, appending .encrypted to the the names of encrypted files. It would then display a ransom note that demanded 0.3 Monero (XMR), or approximately $120 USD for the decryption key. MoneroPay also raided Chrome and Firefox browsers for stored login credentials and transmit them back to the attacker's C2 server.

This variant demonstrates the shift away from Bitcoin for ransom payments as Monero transactions are more difficult to trace back to specific users. Additionally, it appears as though the actors behind this campaign took advantage of the fact that some cryptocurrency mining enthusiasts disable their antivirus software when downloading and testing new wallets as the executable files associated with mining and wallet software often trigger false positive results. This resulted in victims being especially vulnerable to the malware infection.

  • Fortinet provides additional information on MoneroPay here.
  • A free decryption tool for MoneroPay is available on GitHub, here