Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!

Angry Duck

From Malware Wiki
Jump to: navigation, search
Angry Duck
Image Angry-duck-ransowmare-sensorstechforum.jpg
Type Ransomware, Trojan
Creator {{{creator}}}
Date August 23rd, 2016
Origin {{{origin}}}
Programming Language {{{pl}}}
Platform Microsoft Windows
Filetype Win32 PE executable (.EXE)
Alias(es) Trojan.Ransom.AngryDuck(ALYac)

Trojan.Ransom.AngryDuck.A(Arcabit)

FileRepMetagen [Malware](Avast)

Trojan.Ransom.AngryDuck.A (B)(Emsisoft)

Trojan.TR/Dropper.Gen(F-Secure)

UDS:DangerousObject.Multi.Generic(Kaspersky)

Artemis!7AB91E57A1E2(McAfee)

Trojan:Win32/Tiggre!rfn(Microsoft)

Infostealer.Limitail(Symantec)

Ransom_ANGRYDUCK.A(TrendMicro)

Trojan.Encoder!u/VB7qke9aY(Yandex)

Impact {{{length}}}
Size {{{size}}}
Damage costs {{{cost}}}
MD5 7ab91e57a1e2752cd8abee3db10853c5
SHA1 f1c100552f64398ec22a45346731e7399d4075b0
CRC32 {{{crc32}}}
SHA256 8ac9a4f0992dfc466ac82ed806e599f03e85392573e50a0af15320be4a330168
SSDEEP 24576:I5+Kw0xFeQO4cV0LV5tJur4gS39QVDVjxAhQeCA1hWirvJv1FhHoLM1ezMzX7nHs:MZdcV0LV5e4lWXY91XphHnNi
Authentihash 666466176cc2b45c3a305d3372b21669158a890a4b89c97bf3754754d611599b
IMPhash 5eeba1605fad9c51d386ab5e7d474192
Vhash 24576:I5+Kw0xFeQO4cV0LV5tJur4gS39QVDVjxAhQeCA1hWirvJv1FhHoLM1ezMzX7nHs:MZdcV0LV5e4lWXY91XphHnNi

Angry Duck is a ransomware on Microsoft Windows that encrypts files using AES-512 cryptography. It was discovered by Michael Gillespie. It has some odd quirks in its ransom note. These oddities make it apparent that Angry Duck was created by amateurs that may be using some ransomware toolkit or RaaS (Ransomware as a Service) utility to create their attacks. It is aimed at English-speaking users, and its tone is more humorous compared to some other ransomware.

Angry Duck was first created on August 23rd, 2016, but went in the wild after almost 2 months.

Payload

Transmission

Using corrupted email attachments, often in the form of corrupted Microsoft Office or PDF files, may spread the Angry Duck Ransomware.

Apart from the corrupted email and social media messages, Angry Duck may also spread through corrupted online advertising or by hacking into the victim's computers directly.

Infection

Angry Duck attack is rudimentary when compared to some of the most threatening ransomware Trojans in the wild although Angry Duck does carry out an attack that is reasonably effective.

During encryption, Angry Duck appends the names of encrypted files with a ".adk" extension. For example, "sample.jpg" is renamed to "sample.jpg.adk". Angry Duck Ransomware is not capable of encrypting data located on external memory drives, removable media, or network drives, unlike other, more harmful ransomware. The Angry Duck Ransomware targets the following file types:

.3GP, .7Z, .AVI, .BMP, .CSV, .DJVU, .DOCM, 
.DOC, .EPUB, .DOCX, .FLV, .GIF, .IBOOKS, 
.JPEG, .JPG, .MKV, .MOV, .MP3, .MP4, .MPG, 
.MPEG, .PICT, .PDF, .PPS, .PKG, .PNG, .PPT 
.PPTX, .PPSX, .RTF, .TIFF, .TIF, .TORRENT, 
.TXT, .VSD, .WMV, .XLS, .XLSX, .XPS, .XML.

Following successful encryption, Angry Duck also changes the desktop wallpaper to a picture of an angry duck which reads:

*** ANGRY DUCK ***
All your important files have been encrypted using very strong cryptography (AES-512 
with RSA-64 FIPS grade encryption)
To recover your files, send 10 BTC to my private wallet.
DON’T MESS WITH THE DUCKS!!!

The new wallpaper contains a ransom-demand message stating that files are encrypted and that the victim must pay a ransom of 10 Bitcoins (currently equivalent to ~$6484). As compared to other viruses of the same type, Angry Duck's ransom is large (the size of these ransoms usually fluctuates between .5 and 1.5 Bitcoin). Unfortunately, no further information is provided (such as where to send Bitcoin payment, how to decrypt files, time frame until the deletion of the decryption key, etc.) AES is asymmetric cryptography and, thus, the encryption and decryption keys are identical, however, all keys are stored on remote servers controlled by cybercriminals who encourage victims to purchase them.

Removal

Use strong anti-malware software to remove the ransomware.