Cryptographic ransomware program encrypts user files offline



    Different kinds of ransomware, crypto-ransomware programs have now divorced quite a lot. Some simply block the PC until the user pays. Other types of such software encrypt files by sending a key to a server controlled by fraudsters. But there are other types of crypto ransomware that act even more original.

    Researchers at Check Point recently conducted an analysis.the work of one of the varieties of this kind of program that uses an alternative method of encrypting files and providing a key to its creators. The program itself is not new, it was first noticed in June last year. Since then, the author has repeatedly updated his creation (about once every two months), the crypto ransomware is constantly evolving and improving. According to information security experts, this sample was created by Russian-speaking attackers, and this software works, as a rule, with users from Russia.

    When downloading to the victim’s PC, this software encrypts all user files, while renaming them. New names are given by mask:

    email- [address to contact] .ver- [Ransomware internal version] .id- [Machine identifier] - [Date & Time] [Random digits] .randomname- [Random name given to the encrypted file] .cbf (example: email -Seven_Legion2@aol.com.ver-CL 1.0.0.0.id-NPEULAODSHUJYMAPESHVKYNBQETHWKZOBQFT-10 @ 6 @ 2015 9 @ 53 @ 19 AM5109895.randomname-EFWMERGVKYNBPETHVKZNBQETHWKZ.b)

    At the same time, data is not transmitted to the attacker server, no software information is received (such as an encryption key).

    The beginning of each file (the first 30,000 bytes) of each file is encrypted using two sets of numbers and letters, which are generated in random order already on the infected machine. The rest of the file is encrypted using the RSA public key, also randomly generated on the user machine, along with the RSA secret key, which is required to decrypt the data.

    Randomly generated character sets and a local RSA key (secret) are added as metadata to each encrypted file, and then encrypted using three complex RSA 768 public keys that are already created remotely. An appropriate RSA secret key is required to decrypt the metadata on the attacker's side.

    When an attacker contacts the victim by e-mail, he asks to send a sample of the encrypted file. Then he extracts the encrypted metadata from the file, uses the RSA secret key to decrypt the data, and thus receives the character sets and the local RSA secret key that the victim needs to decrypt the files.

    The contact address used by the scammer is often a Gmail or AOL account. Researchers contacted the attacker, reporting themselves as a victim of a crypto ransomware. He requested 20,000 rubles for decrypting the data.

    According to software experts, paying is the only way to get your data back in this case (if you don’t have a backup).

    Decrypting files without the corresponding key is unrealistic. The required brute force time using an entire network of powerful PCs is about two years.

    Also popular now: