A file-encrypting ransomware we are calling LowLevel04 is currently being spread that encrypts your data using AES encryption and then demands a 4 Bitcoin, or ~$1000 USD, ransom to get your files back. This variant was first spotted in October 2015 and it appears that it is being spread by targeted Remote Desktop or Terminal Services hacks. Unfortunately, at this time the only way to recover your files is from a backup, by trying Shadow Volume Copies, or by paying the ransom. It is believed that this ransomware is part of an affiliate based ransomware family that commonly changes the emails associated with the ransom notes.
Based on the reports found in our help recover files.txt ransomware support topic, this ransomware appears to be installed directly by the attacker who brute forces weak passwords on computers running Remote Desktop or Terminal Services. Many of the victims have also reported that the machines affected were servers, which makes sense as this type of attack would cause major disruption for a company. From the reports we have received and by analyzing some samples, it appears that once the attacker gains access to a target computer, they download and install a package that generates the encryption keys, encrypts the data files, and then uploads various files back up to the hacker's temp folder via the terminal services client drive mapping \\tsclient\c\temp\.
Analysis of the ransomware by Nathan Scott, one our residential crypto-ransomware gurus, allowed us to see what the ransomware was doing. When the ransomware executable is run it will scan all mapped drives, including removable and network drives, for data files to encrypt. When it encounters a file that contains certain file extensions it will encrypt them using AES encryption and then add the oorr. string to the beginning of the file name. As an example, test.doc will be renamed to oorr.test.doc. The list of extensions that are targeted by this ransomware are:
When a file is encrypted it will be recreated so that it contains different layers of information that can be used by the decrypter to decrypt your files. The different layers of the newly encrypted file are the encrypted contents of the original file, the original file size, the encrypted encryption key, the key size, and finally a lowlevel04 string that identifies that this is a file was encrypted by this particular infection. These layers of data in an encrypted file are shown below.
|Encrypted version of Original File|
|Original File Size|
|RSA Encrypted Encryption Key|
Format of the Encrypted Data File
In each folder that a file was encrypted, the infection will also leave a ransom note file titled help recover files.txt. This file will contain the instructions that a victim should follow in order to pay the ransom and receive a decryption program. The email addresses currently being used by the malware are email@example.com and firstname.lastname@example.org. This ransom note is shown below.
Click on image to enlarge
Finally, when the malware has finished the encryption process, it will perform a cleanup of all created files and delete them. It will also remove the Application, Security, and System event logs so that they cannot be used to perform forensics on the attack. The commands that are executed to clear the event logs are:
wevtutil.exe cl Application wevtutil.exe cl Security wevtutil.exe cl System
There is potentially some good news, though, as in the incomplete sample we had, the ransomware did not delete Shadow Volume Copies or securely delete the original files. This means that you may be able to use a file recovery tool to recover your files or a program like Shadow Explorer to restore your files from the Shadow Volume Copies. Information on how to restore your files from Shadow Volume Copies can be found in the CryptoLocker guide.