神刀安全网

Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Fortinet recently encountered a new ransomware variant that targets a Russian-speaking audience. The file is hosted on a Russian file hosting site, and is likely propagated via drive-by download. It encrypts files and appends the extension with crypt38 .

The malware author asks for 1000 Rubles – around $15 USD- and places his/her email address as the contact to retrieve the unlock code: 

Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Figure 01. Ransom Note

The above ransome note can be roughly translated to:

“Your data is encrypted!

The cost of deciphering : 1000 rubles                       Unlock Code : ___________

Your ID: 576070104701

Send it to regist3030@yandex.ru                                             [Decrypt]

Do not delete or edit files .crypt38 and virus files, or restore the data will not work!”

Behavioral Analysis

Crypt38 first checks to see if it’s already running in %Appdata%/Microsoft/Windows . If not, it will drop and run a copy of itself as %Appdata%/Microsoft/Windows/lsass.exe .

Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Figure 02. Drop Lsass.exe

Once the malware is running in its designed file path, it will add itself to the registry to run at start up.

Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Figure 03. Enable Autorun

key: HKCU/Software/Microsoft/Windows/CurrentVersion/Run

value: lsass

data: %Appdata%/lsass.exe

Victim ID and Key Creation

Crypt38 creates a victim ID by randomly generating 12 numeric values as shown below.

Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Figure 04. Victim ID Creation

Once the victim ID is created, Crypt38 uses this to create a Key for encrypting files. It copies the victim ID then takes each indices’ value and uses the operation of (num*num*num)modulo10 and then appends “6551” to create the key. The key is then stored in %Appdata%/Microsoft/Windows/request.bin .

Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Figure 05. Key Generation

File Encryption

The ransomware begins by enumerating the targeted files to be encrypted. It lists all drives from A to Z, and after it loads all files in specific drive,s it compares the file path to its blacklist.

Crypt38 will not infect files which contains the following in their file path:

Windows, msocache, Program Files, Program Files(x86)

It will encrypt files with the following file extension:

.txt .pdf .html .rtf .dwg .cdw .max .psd .3dm .3ds .dxf .ps .ai .svg .indd .cpp .pas .php .cs .py .java .class .fla .pl .sh .jpg .jpeg .jps .bmp .tiff .avi .mov .mp4 .amr .aac .doc .docx .xls .xlsx .ppt .pptx .accdb .odt .odp .odx .ibooks .xlp .db .dbf .mdf .sdf .mdb .sql .rar .7z .zip .vcf .cer .csr .torrent .otl .report .key .csv .xml

Afterwards, once the targeted files have all been filtered, it starts encrypting files with a symmetric algorithm that uses the generated key.

Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Figure 06. File Encryption

It then proceeds to append the extension .crypt38 to encrypted files.

Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Figure 07. Encrypted Data

The Good News

Since the encryption algorithm used is symmetric, the key for the decryption of files is the same key that was generated for encryption, which means it can be used to decrypt ransomed files without paying the ransom.

Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Figure 08. Condition to Decrypt

To determine the Key for this sample, we use the following:

victim_ID = [12 numbers]

unlock_key = “”

for(i=0,i<12,i++)

num=victim_ID[i]

num= num*num*num%10

unlock_key += num

unlock_key+= “6551”

Once the unlock_key is generated, we can use this key to decrypt the files. Entering the correct unlock code presents the window below.

Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Figure 09. Window for Correct Code

This window roughly translates to:

Warning

The correct code. 

Please make sure that all connected drives, which are .crypt38 files and click OK

After clicking OK, the malware decrypts all the files and shows this window:

Buggy Russian Ransomware Inadvertently Allows Free Decryption 

Figure 10.Decrypting Window

The malware then removes all added folders and deletes the auto run registry after decrypting the files. However, it doesn’t delete itself.

Conclusion

While our analysis indicates that this malware is a work of an inexperienced cybercriminal, the appearance of this ransomware suggests that more and more ransomware attacks are targeting specific regions.

Fortiguard will continue to monitor Crypt38 ransomware and other developments in the ransomware scene.

-= FortiGuard Lion Team =-

IOC

Sha256: 06e62eec96b8a6fa5bd1294b4cc2a20e4c22641ad06045fd8fa0c6b9cb8dd620

Detected as: W32/Crypt38.A!tr

Added Files:

%Appdata%/lsass.exe – copy of itself

%Appdata%/request.bin – contains Victim ID

%Appdata%/encrypted

Added Folder:

{root drive} /ow4386747

Added Registry:

key: HKCU/Software/Microsoft/Windows/CurrentVersion/Run

value: lsass

data: %Appdata%/lsass.exe

转载本站任何文章请注明:转载至神刀安全网,谢谢神刀安全网 » Buggy Russian Ransomware Inadvertently Allows Free Decryption 

分享到:更多 ()

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址