Crypto-ransomware encrypts files “offline”
Ransomware comes in various forms, and not all ransomware encrypts files – some just block computers until the ransom is paid. When the file encryption feature is included, the encryption key is usually sent to the malware’s C&C server, which is controlled by the crooks – but not always.
Check Point researchers have recently analyzed a crypto-ransomware sample that demonstrated an alternative method of encrypting files and delivering the key (i.e., the information required to discover the right key) to the criminal behind the scheme.
This particular piece of ransomware is not new. It was first spotted in June 2014. It’s evolution is continuous, as the author comes up with a newer version every two months or so:
It seems to have been written by a Russian author, and is currently directed at Russian targets.
Once downloaded and run on the machine, the ransomware encrypts all personal files and renames them. The new names follow the following format: email-[address to contact].ver-[Ransomware internal version].id-[Machine identifier]-[Date & Time][Random digits].randomname-[Random name given to the encrypted file].cbf (example: email-Seven_Legion2@aol.com.ver-CL 1.0.0.0.id-NPEULAODSHUJYMAPESHVKYNBQETHWKZOBQFT-10@6@2015 9@53@19AM5109895.randomname-EFWMERGVKYNBPETHVKZNBQETHWKZNB.RGV.cbf).
It doesn’t need to contact a C&C to receive an encryption key or to send it to the crook.
“The beginning (first 30000 bytes) of each file is encrypted using two buffers of digits and letters that are randomly generated on the infected machine. The remainder of each file (if it exists) is encrypted using an RSA public key (‘local’) that is randomly generated on the infected machine, along with the matching local RSA private key required for decryption of the data,” the researchers explained.
“The randomly generated buffers and the local RSA private key that are required for decryption are added as metadata to each encrypted file, and are then encrypted using three hardcoded RSA 768 public keys that the offender created in advance (‘remote’). The matching remote RSA private keys required to unlock the metadata are located on the attacker’s side.
When the criminal asks the victims to contact him via email, he also asks them to send in one encrypted file. He extracts the encrypted metadata from the file, uses his remote RSA private keys to decrypt it, and this gives him the buffers and local RSA private key needed by the victims to decrypt the file(s).
The contact email address to contact the crook changes continuously, and is often a Gmail or AOL account. The researchers contacted the criminal, and discovered he asks for 20,000 Russian rubles (some $300) to decrypt the files.
Unfortunately for those who don’t have a recent backup, the only way to get the files back is to pay up.
“It is not feasible to try to decrypt the remote RSA encryption without the remote private key. The necessary time frame would be approximately 2 years and would involve using many computers,” the researchers noted.