Background
Resenware was created as a joke by Kangjun Heo (0x00000FF) that encrypts files on a computer like ransomware but instead of asking for money, you have to beat Touhou 12: Undefined Fantastic Object on LUNATIC mode (the hardest difficulty). Appeared in 2017, it has become a joke within the Touhou fandom, in addition to the author infecting themselves with it. It even has a Wikipedia page and several videos documenting it.
Sample Information
Filename: resenWare.exe
File Size: 96.5 KiB
File Type: Windows Executable, 64-bit, C#
MAC timestamp: Thu Apr 06 13:32:37 2017 (UTC)
md5:60335edf459643a87168da8ed74c2b60
sha1:61f3e01174a6557f9c0bfc89ae682d37a7e91e2e
sha256:7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a
Packed?: No
Reversing
Within the main function, it runs cryptoServiceProvider and enumerates files appending .RESENNWARE to them. The encryption function itself uses AES-256 using the IV and Key generated.
There are 32 extensions targeted by Resenware, notably extensions that are required to make the game function are not part of it which other ransomwares would target otherwise i.e. .exe.
private static readonly string[] targetExtensions = new string[] {".jpg",
".txt", ".png", ".pdf", ".hwp", ".psd", ".cs", ".c", ".cpp", ".vb", ".bas",
".frm", ".mp3", ".wav", ".flac", ".gif", ".doc", ".xls", ".xlsx", ".docx",
".ppt", ".pptx", ".js", ".avi", ".mp4", ".mkv", ".zip", ".rar", ".alz", ".egg",
".7z", ".raw"};
After the encryption process, a window pops up with (touhou character) with the ransom note.
WARNING!
Your system have been encrypted by Resen!
What the HELL is it?
Minamitsu "The Captain" Murasa encrypted your precious data like documents, musics, pictures, and some kinda project files. it can't be recovered without this application because they are encrypted with highly strong encryption algorithm, using random key.
How can I recover my files?
That's easy. You just play TH12 ~ Undefined Fantastic Object and score over 0.2 billion in LUNATIC level. this application will detect TH12 process and score automatically. DO NOT TRY CHEATING OR TEMRMINATE THIS APPLICATION IF YOU DON'T WANT TO BLOW UP THE ENCRYPTION KEY!
Throughout the analysis, though it claims it will blow up the encryption keys if we cheated for the score there’s actually no check!