Sometimes you really want to look some virus writer in the eye and ask: why and why? We will deal with the answer to the “how” question ourselves, but it would be very interesting to find out what this or that malware creator was guided by. Especially when we come across such "pearls".
The hero of today's article is an interesting copy of the ransomware. It was conceived, apparently, as another "extortionist", but its technical implementation is more like someone's cruel joke. We will talk about this implementation today.
Unfortunately, it is almost impossible to trace the life cycle of this encoder - there are already too few statistics on it, since, fortunately, it has not received distribution. Therefore, we leave out the origin, methods of infection and other references. We will only talk about our case of acquaintance with Wulfric ransomware and how we helped the user save their files.
I. How it all began
Our antivirus laboratory is often contacted by people affected by ransomware. We provide assistance regardless of what antivirus products they have installed. This time we were contacted by a person whose files were affected by an unknown encoder.
Good afternoon Files were encrypted on file storage (samba4) with passwordless login. I suspect that the infection came from my daughter's computer (Windows 10 with standard Windows Defender protection). The daughter's computer was not turned on after that. The files are mostly .jpg and .cr2 encrypted. File extension after encryption: .aef.
We received from the user samples of encrypted files, a ransom note, and a file that is likely the key that the ransomware author needs to decrypt the files.
Here are all our leads:
- 01c.aef (4481K)
- hacked.jpg (254K)
- hacked.txt (0K)
- 04c.aef (6540K)
- pass.key (0K)
Let's take a look at the note. How many bitcoins this time?
Translation:
Attention, your files are encrypted!
the password is unique to your PC.Pay the amount of 0.05 BTC to bitcoin address: 1ERtRjWAKyG2Edm9nKLLCzd8p1CjjdTiF
After payment, send me an email by attaching the pass.key file to [email protected] with payment notice.After confirmation, I will send you a decryptor for the files.
You can pay for bitcoins online in many ways:
- payment by credit card
About bitcoins:
If you have any questions, write to me at [email protected]
As a bonus, I will tell you how your computer was hacked and how to protect it in the future.
A pretentious wolf, designed to show the victim the seriousness of the situation. However, it could have been worse.
Rice. 1. -As a bonus, I will tell you how to protect your computer in the future. –Seems legit.
II. Getting Started
First of all, we looked at the structure of the sent sample. Oddly enough, it did not look like a file that had been damaged by a ransomware. Open a hex editor and look. The first 4 bytes contain the original file size, the next 60 bytes are filled with zeros. But the most interesting is at the end:
Rice. 2 Analyze the damaged file. What immediately catches your eye?
Everything turned out to be offensively simple: 0x40 bytes from the header were moved to the end of the file. To restore data, simply return it to the beginning. Access to the file has been restored, but the name remains encrypted, and everything is more complicated with it.
Rice. 3. The encrypted name in Base64 looks like an incoherent set of characters.
Let's try to parse pass.key, submitted by the user. In it we see a 162-byte sequence of characters in ASCII.
Rice. 4. 162 characters left on the victim's PC.
If you look closely, you can see that the characters are repeated at regular intervals. This may indicate the use of XOR, where repetitions are inherent, the frequency of which depends on the length of the key. After splitting the string into 6 characters and XORing with some variants of XOR sequences, we did not achieve any meaningful result.
Rice. 5. See the repeated constants in the middle?
We decided to google the constants, because yes, this is also possible! And all of them eventually led to one algorithm - Batch Encryption. After studying the script, it became clear that our string is nothing but the result of its work. It should be mentioned that this is not a cipher at all, but just an encoder that replaces characters with 6-byte sequences. No keys or other secrets for you 🙁
Rice. 6. A piece of the original algorithm of unknown authorship.
The algorithm would not work as it should if not for one detail:
Rice. 7. Morpheus approved.
Using back substitution, we turn the string from pass.key into a text of 27 characters. Of particular note is the (most likely) human text 'asmodat'.
Fig.8. USGFG=7.
Google will help us again. After a little search, we find an interesting project on GitHub - Folder Locker, written in .Net and using the 'asmodat' library from another Gita account.
Rice. 9.Folder Locker interface. Be sure to check for harm.
The utility is an open source encryptor for Windows 7 and higher. Encryption uses the password required for later decryption. Allows you to work with both individual files and entire directories.
Her library uses the Rijndael symmetric encryption algorithm in CBC mode. It is noteworthy that the block size was chosen to be 256 bits - in contrast to the AES standard. In the latter, the size is limited to 128 bits.
Our key is generated according to the PBKDF2 standard. In this case, the password is SHA-256 from the string entered in the utility. It remains only to find this string to form the decryption key.
Well, back to our already decoded pass.key. Remember that line with the string of numbers and the text 'asmodat'? We are trying to use the first 20 bytes of the string as the password for Folder Locker.
Look, it works! The code word came up, and everything was perfectly deciphered. Judging by the characters of the password, this is the HEX representation of a certain word in ASCII. Let's try to display the code word in text form. Get 'shadowwolf'. Already feeling the symptoms of lycanthropy?
Let's take another look at the structure of the affected file, now we know how the locker works:
- 02 00 00 00 – name encryption mode;
- 58 00 00 00 – length of the file name encrypted and encoded in base64;
- 40 00 00 00 is the size of the transferred header.
The encrypted name itself and the transferred header are highlighted in red and yellow, respectively.
Rice. 10. The encrypted name is highlighted in red, the transferred header is highlighted in yellow.
And now let's compare the encrypted and decrypted names in hexadecimal representation.
The structure of the decrypted data:
- 78 B9 B8 2E - garbage created by the utility (4 bytes);
- 0С 00 00 00 – length of decrypted name (12 bytes);
- then comes, in fact, the file name and padding with zeros to the desired block length.
Rice. 11. IMG_4114 looks much better.
III. Conclusions and conclusion
Returning to the beginning. We do not know what the author of Wulfric.Ransomware was guided by and what purpose he pursued. Of course, for an ordinary user, the result of the work of even such an encryptor will seem like a big disaster. Files do not open. All names are gone. Instead of the usual picture - a wolf on the screen. Forced to read about bitcoins.
True, this time, under the guise of a “terrible encoder”, such an absurd and stupid attempt at extortion was hiding, where the attacker uses ready-made programs and leaves the keys right at the crime scene.
By the way, about the keys. We didn't have a malicious script or Trojan that could help us figure out how this arose. pass.key – the mechanism by which the file appeared on the infected PC remains unknown. But, I remember, in his note the author mentioned the uniqueness of the password. So, the code word for decryption is as unique as the shadow wolf username is 🙂
And yet, shadow wolf, why and why?
Source: habr.com