Pierluigi Paganini November 05, 2015

Malware researchers at Check Point Technologies have discovered a new offline ransomware that is targeting mainly Russian users.

Malware researchers at Check Point Technologies have spotted a new “offline” ransomware that is targeting Russian users. The principal characteristic of this strain of malware is that it doesn’t need to communicate with a command and control (C&C) server in order to encrypt files.

This feature complicates the analysis of security firms because it is not possible to detect the communication with the control centers.

The offline ransomware has been around since at least June 2014, the experts highlighted that the threat actors behind the campaign have already released numerous variants of the malware.

The last version of the offline ransomware (CL 1.1.0.0) has been released in August 2015, the threat is well known to the principal security firms that detected it with various names (Ransomcrypt.U [Symantec], Win32.VBKryjetor.wfa [Kaspersky] and Troj/Ransom-AZT [Sophos].

Once the ransomware infects the victim’s PC, it encrypts his files and changes the desktop background displaying a message in the Russian language that includes the instructions to recover the files.

“Your files are encrypted, if you wish to retrieve them, send 1 encrypted file to the following mail address: [email protected]

ATTENTION!!! You have 1 week to mail me, after which the decryption will become impossible!!!!”

All the files on the machine infected by the CL 1.0.0.0 version, the one analyzed by the researchers at  Check Point Technologies, were encrypted, and each one renamed to the following format:

email-[address to contact].ver-[Ransomware internal version].id-[Machine identifier]-[Date & Time][Random digits].randomname-[Random name given to the encrypted file].cbf

Example:

[email protected] 1.0.0.0.id-NPEULAODSHUJYMAPESHVKYNBQETHWKZOBQFT-10@6@2015 9@53@19 AM5109895.randomname-EFWMERGVKYNBPETHVKZNBQETHWKZNB.RGV.cbf

Victims are asked to pay a ransom between $300 and $380, depending on how fast they perform the payment, to receive a decryption tool and the key needed to recover their files.

The offline ransomware is written in Delphi and uses some Pascal modules, a choice not common for malware developers. The experts explained that the file-encrypting capabilities implemented by the offline ransomware are highly efficient, it is nearly impossible to recover the files once the threat has encrypted it.

Check Point has provided the following description of the file encryption process:

• The beginning (first 30000 bytes) of each file is encrypted using two buffers of digits and letters that are randomly generated on the infected machine. The encryption process includes taking each original byte along with one byte from each of the randomly generated buffers and performing mathematical operations on them.
• The remainder of each file (if it exists) is encrypted using an RSA public key (“local”) that is randomly generated on the infected machine, along with the matching local RSA private key required for decryption of the data.
• The randomly generated buffers and the local RSA private key that are required for decryption are added as metadata to each encrypted file, and are then encrypted using three hardcoded RSA 768 public keys that the offender created in advance (“remote”). The matching remote RSA private keys required to unlock the metadata are located on the attacker’s side.

The threat actors used several email addresses in their campaign, most of them AOL and Gmail accounts. It is interesting to note that the unique account related to a Russian email provider, [email protected], is also one of the emails associated with the original version of the offline ransomware. The address was no more used by crooks after the version 4.0.0.0.

Ransomware are very profitable for cyber criminals, according to security researchers of the Cyber Threat Alliance which have conducted an investigation into the cybercriminal operations leveraging CryptoWall ransomware, criminals behind CryptoWall 3.0 Made $325 Million.

On a weekly basis, new malware appears in the wild, recently the fourth version of the popular Cryptowall was detected online and new ones are expected to come.

Pierluigi Paganini

(Security Affairs – Offline Ransomware, cybercrime)