Ransomware ‘Holds Up’ Victims

The current “ransomware” campaign uses a novel approach to extort money from naive Internet users. Malware from cybercriminals infects personal computers by claiming to be a genuine Windows update. Once installed, this malware encrypts data on the hard drive and displays a message (see Figure 1) in German that translates to “Your system has been infected with a Windows Trojan encryption due to visiting pages with pornographic content and your data files are encrypted with AES 256-bit encryption algorithm” and asks the victim to pay 100 euros via a Paysafe or Ukash voucher number. These malware binaries spread through spam emails.

Figure 1:Warning message displayed by ransomware

On analysis, we found that the malware uses the RC4 algorithm for encrypting data. RC4 requires a key to generate pseudorandom numbers that are used to XOR the plain text and get the encrypted data. This family uses a technique, mentioned below, to generate keys that are different for each file being encrypted.

How is the key generated?

  1. A random base key is generated from a hard-coded string in the file
  2. Another random four-character string is generated
  3. A new string is formed by appending another hard-coded string to the file that is being encrypted in Steps 1 and 2
  4. An MD5 check sum of the string in Step 3 is computed and used by the RC4 algorithm to encrypt this particular file
  5. On successful encryption, the malware renames the file by prepending “locked-“ and appending the string generated in Step 2 as the extension, for example, locked-filename.1234 (locked-<original name>.<four random characters>

 

Exclusions

There are some files on the system that are not encrypted by this malware. It doesn’t encrypt any file if its full path contains any one of these elements:

  • Program, Application, temp, tmp, Recycled, $, cache (some common system locations)
  • Desk.Log, .sys, .lnk, .com, .bin, .ini , .sys, .dat, .bat, .pif, .inf
  • Ntldr, ntdetect, bootmgr, osloader, winload, pagefile (filenames related to Windows)
  • winsh (It is the image file name that is downloaded from server which contains warning messages shown in Figure 1)

Must you pay the ransom?

Because the malware uses RC4, which is a symmetric encryption (the same key is used to decrypt), it looks like we can decrypt the files without paying the ransom. But here is the catch: the key for RC4 is an MD5 checksum of some combination of the elements already mentioned. Data in Steps 2 and 3 can be obtained from the encrypted filename and malware, respectively. But where is the base key generated in Step 1?

The base key

Our preliminary analysis shows that the random base key is sent to a remote server in encrypted form, as explained in Figure 2:

server communicationFigure 2: Sending the base key to a remote server in encrypted format

The random base key is encrypted using RC4 and the key used is an MD5 checksum of the data, consisting of the serial number of boot drive volume concatenated with the first six characters of the computer name and another hard-coded string. The ciphered data is passed to another encryption routine and the returned value of this routine along with the volume’s serial number followed by the computer name are passed in the query string of the HTTP request as “data” and “id,” respectively. A graphical representation of the key encryption logic is shown in Figure 3.

Key encryption algorithm

Figure 3: How the base key is encrypted and sent to a remote server

McAfee products detect these malware binaries as Ransom-AI. The “heat map” below shows where this threat has surfaced.

Heat Map of the ransomware