Ransomfails: a few stories on beating cryptors

It’s not common that the ransomware criminals can be outsmarted. But sometimes they can be.

In recent months, we have had a number of stories, grim and dreary, about the perils of ransomware. For a change – and for a little bit of amusement – we’d like to offer a few tales about defeating ransomware.

“Helpme/file2”

This ransomware was only known by names “helpme@freespeechmail.org” and “file2@openmailbox.org,” after two of the email addresses users were told to contact the malware’s author and to receive payment details for possible decryption.

Author(s) demanded three bitcoins as a fee. Tech forums and outlets called that ransomware extremely nasty as it had caused a lot of destruction.

However, in the Fall of last year it was discovered that this ransomware is prone to brute-force using Kaspersky Lab’s RakhniDecryptor utility. It was intended to crack the “venerable” Rakhni (Trojan-Ransom.Win32.Rakhni) cryptor known since 2013. Most likely “helpme@freespeechmail” ransomware is a derivative of the former.

So in the end, it is quite possible to give the criminals the sack, not ransom.

The failure epique of DMA cryptor

An encrypting malware of Polish origin, this one initially featured a ransom note only in Polish. However, with time DMA’s code improved and the English ransom notes were added.

Then researchers from Malwarebytes decided to go in, and found a lot of funny things about DMA.

Funny thing one: malware authors advertised that they used an AES-256 key to encrypt files and then secured that key via an RSA-2048 cipher, but then researchers discovered that it only employed a custom encryption algorithm, which was quickly cracked.

Funny thing two: DMA had no protection against reverse engineering, which was excellent news for the researchers.

Funny thing three: DMA encryption key came hard-coded in one of its binaries.

Funny thing four: DMA author embedded the decrypter right inside the ransom note, creating dual-mode ransomware that can encrypt and decrypt files from the same source code.

Even if those smarties who wrote DMA found out they made a mistake by embedding the decryption, their custom encryption algorithm is still a weak one. Fortunately for the victims, it’s an amateur’s work that’s not going to be much of a danger.

Petya ransomware rocked-n-busted

A nefarious cryptor codenamed Petya (a Russian counterpart for name Pete) had been discovered late last month. It had a peculiar feature: it targeted infected machine’s master boot records, and the only option for the victims was to hand over roughly $400 in Bitcoin for the decryption key.

A certain individual who goes by the handle @leostone posted an algorithm to generate decryption keys.

As Threatpost points out, users can generate a decryption key, providing they can supply the tool with information from their infected drive – the boot sector and nonce associated with it.

This may be not an easy task for the average user, but Fabian Wosar, a security researcher at Emsisoft, created an executable over the weekend designed to extract data from infected Petya drives and expedite the process.

The same Mr. Wosar just recently managed to crack the encryption of HydraCrypt and UmbreCrypt ransomware families.

On Sunday, Lawrence Abrams, a computer forensics expert who blogs at BleepingComputer.com and has been following the ransomware’s saga, put together a guide on how to use the tool. He tested it and successfully recovered the data from the test machine. However, he acknowledged that Petya authors may soon update their ransomware making decryption a much more complicated process.

You wanted to play a game? Really?

A sadistic ransomware wasn’t just encrypting the files but also deleted them unless the victim paid 0.4 Bitcoin or $150 within an hour. Restarting a PC would also cost 1,000 deleted files.

The ransom demand contained the image from the “Saw” horror movie franchise and an appropriate line “I want to play a game with you…”

Game’s over, at least for now. Researchers, including security researchers at MalwareHunterTeam and individual computer forensics experts Michael Gillespie and Lawrence Abrams, have analyzed the malware and developed a decryption tool that allows victims to recover their files for free.

saw

Your game was unimpressive, clowns.

Now the funniest thing: Jigsaw can be prevented from deleting any files if an affected user goes into their Windows Task Manager and terminates firefox.exe and all of the drpbx.exe processes. In fact Jigsaw gets into the system as a fake Firefox browser installation file.

Then there’s only an encryption problem, which is beaten by the aforementioned decryption tool.

Still not common

It’s not common for ransomware criminals to be outsmarted. In fact, it is quite a rare occasion. More often users and businesses are facing less than exciting prospects of paying ransoms without a guarantee of getting their files back.

Some strains of ransomware are plain impossible to decrypt without knowing the keys, simply because the encryption algorithm they use are too strong.

So, by default it is much more reasonable to take preventive measures and not let the beasts in.

Andrey Pozhogin blogged a couple of weeks ago:

“Remember the multi-layered approach to security. Backup religiously. Stop phishing at your email server or web browser. Stop known malware… Check with cloud intelligence. Let it boil a little in a sandbox. Let your firewall do some jobs for you. Make sure application privilege control stops applications from accessing your personal data unless explicitly allowed. Or go all the way and switch to Default Deny mode.”

It is way easier to prevent a fire than to extinguish it when it has already started.

Also, take a look at Kaspersky Lab’s recent release – Kaspersky Security for Windows Server application, enhanced with Anti-Cryptor technology, specifically to prevent “ransomfire” from spreading all over.

Stay safe!

P.S. And drop us a comment or two about your own encounters with ransomware if there have been any!

Tips