Friday, June 14, 2013

The case of Win32.Filecoder Ransomware

Few days ago i have got a computer that was infected with Win32\Filecoder.NAG, this nasty ransomware has encrypted the user files and presented the following message to the user:

So basically in order to get your files back you should pay 300$.

I have done a little bit of reverse engineering of this ransomware in order to try to find a way to get the key without paying the ransom.

Here are the facts i found:

Once the malware is installed it generate the key with the following algorithm:

Key generation algorithem

Afterwards the malware create two files on the %APPDATA% directory, the first file (named Setconf in this variant) contains the generated key, and after the malware done with the encryption it encrypt this file too (and add .crypt to the extension name) and then delete this file from the computer, so it is difficult to get this file back (although that in case you have "previous versions" feature turned on and it took snapshot in the right time you can get this file).

The second file (named ok.txt in this variant) contains the words "Thank you!".

After it generate the key the malware then sends that key using a POST method to the C2 server (in my case it was hxxp:// and in the answer from the server it get the ID and the email address that the victim is suppose to use in order to contact with the operator.

It then saves that ID and email address in the following registry path:
HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon

Then the mlaware proceed to the encryption phase and encrypt all of the user's files using an AES algorithm   and add to each file extension name the word .crypt .

After the encryption of all the files is done the second file the malware has been created in the %APPDATA% directory (named ok.txt.crypt now) is being used by the malware in order to make sure the victim has entered the correct key.
Once the user has entered a key the malware is trying to decrypt this file and if the file content is  equal to "Thank you!" (as it was before the encryption) the malware knows that the user has entered the correct key and it proceed to the decryption phase (yes it really decrypt the user's files if you have the correct key) if it doesn't equal to "Thank you!" the malware knows that an incorrect key was entered.

The key the malware uses is 15 bytes long and it is consist from mixalpha (a-z&A-Z) letters, initially thought to brute force the key in order to get the files back but after some calculations i came to the conclusion that it will take long time to do that and unless i have many (many) computers that brute force the key in parallel i can't get that key and the files of the user are gone.

The AES library that the malware is using to encrypt the files is probably taken from this open source code at the google code site (Thanks to Fabian Wosar for pointing me to it).

My conclusion on this was that i am can't get the encrypted files back unless i have a log of the network traffic so i can get the password that was sent to the C2 server.

By the way i found that the C2 server is responding to arbitrary POST requests with an id and email address:

A little python script that will send POST request to the server in a while loop will not hurt anybody especially if the Brute Force method above didn't work that will work for sure:

The md5 hash of the file i have analyzed is:
14724a3dafa927ebee51e72c5e02f9c1 VT 31/47

Have a nice Day!

1 comment:

  1. Anonymous8/7/13 16:43

    I bet the panel is vulnerable. If not, server is shared and you could easily find a vulnerable site so you could perhaps "bypass" and root the server. Get to the panel and pwn the panel also.

    Nice research but you should indeed go deeper sometimes.