RedEye is a ransomware virus created by the same person who created the ANNABELLE and Jigsaw viruses, This advanced behavior is unusual for ransomware-type viruses, which typically encrypt data and attempt to dupe users into paying ransoms.
When RedEye is infiltrated, it allegedly encrypts data with the AES-256 encryption algorithm and appends filenames with the ".RedEye" extension (e.g., "sample.jpg" is renamed to "sample.jpg.RedEye"). RedEye not only 'encrypts' data, but also completely wipes it. As a result, data becomes unusable and impossible to recover. Furthermore, RedEye modifies the desktop wallpaper into a picture of Mona Lisa with black fluid flowing out of its eyes, changes the volume all the way up and launches a pop-up window with a ransom demand message.
The message in the pop-up window states that the data has been encrypted and that victims must pay a ransom of 1 Bitcoin (currently equivalent to $36,370) to have it restored. The payment must be made within four days of the encryption (a countdown timer appears in the pop-up), or the computer will allegedly be "destroyed." AES-256 is a symmetric encryption algorithm that encrypts and decrypts data with a single key. Each victim is given a unique key; however, because all keys are stored on a remote server controlled by RedEye's developers, users are encouraged to pay a ransom in order to be freed.
As mentioned above, RedEye wipes data by simply overwriting it with blank files of the same format. As a result, once decrypted, data is rendered useless. If a victim refuses to pay and the timer runs out, RedEye will modify the computer's Master boot record, making it impossible to boot the system properly. It's worth noting that the RedEye pop-up has a tab labeled "Destroy PC." By selecting this tab, you will also be able to modify the MBR. The modified MBR will simply display a message stating that the system has been terminated and that it can no longer be used.
It is, however, possible to stop the process by detecting the presence of RedEye before it finishes compromising data and modifying the MBR. In this case, immediately shutdown the system, log-in using Safe Mode, backup data that has not yet been damaged, restore the MBR, and then reinstall the operating system.
- Malware Wiki Page
- Showcase video: youtube.com/watch?v=zgg5wsMDBYA