Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomcrypt (DirtyDecrypt.exe) uses EFS


  • Please log in to reply
213 replies to this topic

#1 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:06:30 PM

Posted 18 July 2013 - 10:48 PM

Since I can't reply to post http://www.bleepingcomputer.com/forums/t/501385/decryptexe/ I'll post it here.

This Trojan.Ransomcrypt.D (http://www.symantec.com/security_response/writeup.jsp?docid=2013-071012-1247-99&tabid=2) is the variant.

%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\76c6693205311293dabe1dd1d619ff3d_7d2d450e-594b-4214-a88e-adb179f21516
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\92bd0cb3bb654c3ca25f64427cd8bdff_7d2d450e-594b-4214-a88e-adb179f21516
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\c454754cf8997ff64bf863f7a733297e_7d2d450e-594b-4214-a88e-adb179f21516
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\f841fc663738bb69a5edcfa7a046c624_7d2d450e-594b-4214-a88e-adb179f21516

It uses the Microsoft Encrypting File System (EFS) against you. The Encrypting File System. http://technet.microsoft.com/en-us/library/cc700811.aspx

CIPHER commands. http://ss64.com/nt/cipher.html

Encrypting and decrypting from the command line. You can use the cipher command to encrypt and decrypt data at the command line, in individual directories or in batches.
http://www.techrepublic.com/article/use-cipherexe-for-command-line-encryption/

Cipher.exe Security Tool for the Encrypting File System. http://support.microsoft.com/kb/298009
Allows a user or administrator to display or alter the encryption of files. In addition to encrypting or decrypting a file or folder, Cipher can be used to update the file encryption keys or the keys of the data recovery agent (DRA) should there be a change in the data recovery policy. http://technet.microsoft.com/en-us/library/cc736602(v=ws.10).aspx

Edited by Crazy Cat, 19 July 2013 - 06:44 AM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


BC AdBot (Login to Remove)

 


m

#2 Crazy Cat

Crazy Cat
  • Topic Starter

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:06:30 PM

Posted 18 July 2013 - 10:56 PM

Back up the certificate and private key currently used to encrypt and decrypt EFS files before removing DirtyDecrypt.exe

To back up the certificate and private key currently used to encrypt and decrypt EFS files to a file named c:\myefsbackup.pfx, type: CIPHER /x c:\myefsbackup

CIPHER commands. http://ss64.com/nt/cipher.html
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#3 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:30 AM

Posted 24 July 2013 - 10:18 PM

Crazy Cat,

Thank you for the information.

Encrypting or decrypting is not "my thing", so, I am looking at this from the perspective of an OP who has posted in a forum seeking help to regain use of personal files that were affected by the DirtyDecrypt ransomware.

Since some of the references provided may be way beyond the understanding of the average user, self included. Do you have a reference (link) to any cases where the CYPHER command line was used to decrypt files affected by this ransomware variant?

Also, if encrypted files can only be decrypted using the private key that encrypted them, where would the certificate and private key be obtained from?

Any light you can provide to simplify the process is appreciated.

Old duck...


#4 Crazy Cat

Crazy Cat
  • Topic Starter

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:06:30 PM

Posted 24 July 2013 - 11:57 PM

I'll post the information either tomorrow or later tonight? I'm too busy right now.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,270 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 25 July 2013 - 04:29 PM

But without the key, there is no way to decrypt. No?

#6 Crazy Cat

Crazy Cat
  • Topic Starter

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:06:30 PM

Posted 26 July 2013 - 07:52 PM

DirtyDecrypt. https://www.virustotal.com/en/file/ac995a703e528e67cb41489dcaa57f2ef7cb3174990bf8b30f69dfaae8ea4e37/analysis/

SHA256: ac995a703e528e67cb41489dcaa57f2ef7cb3174990bf8b30f69dfaae8ea4e37
SHA1: b86e9a0b4678922b74939f0aedaf17fc470ed88f
MD5: 4bb6c6c3f1ad7c2fb6096f6156c1df9b
File size: 704.1 KB ( 720969 bytes )
File name: A0649781.exe or [RANDOM CHARACTERS].exe


As explained already, using Trojan.Ransomcrypt.D (http://www.symantec.com/security_response/writeup.jsp?docid=2013-071012-1247-99&tabid=2) the trojan creates the private keys for the EFS in RootDirectory\Documents and Settings\< username>\Application Data\Microsoft\Crypto\RSA

%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\76c6693205311293dabe1dd1d619ff3d_7d2d450e-594b-4214-a88e-adb179f21516
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\92bd0cb3bb654c3ca25f64427cd8bdff_7d2d450e-594b-4214-a88e-adb179f21516
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\c454754cf8997ff64bf863f7a733297e_7d2d450e-594b-4214-a88e-adb179f21516
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\f841fc663738bb69a5edcfa7a046c624_7d2d450e-594b-4214-a88e-adb179f21516

Info 1: How Private Keys Are Stored. http://technet.microsoft.com/en-us/library/cc962112.aspx

It lowers security settings, and modifies the following registry entries:

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\"F" = "[BINARY DATA]"
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\00000220\"C" = "[BINARY DATA]"
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Builtin\Aliases\Members\[SID]\000003ED\"(Default)" = "?\00?"

The domain controllers backup/restore master key is stored on the system as a global local security authority (LSA) secret in the HKEY_LOCAL_MACHINE/SAM key in the
registry and is replicated over the network by means of Active Directory. (Global LSA secrets are objects provided by the LSA to enable system services to store private data securely.) See Info 1.

Detailed information on the Encrypting File System (EFS) can be found here.

How EFS Works. http://technet.microsoft.com/en-us/library/cc962103.aspx
Features of EFS. http://technet.microsoft.com/en-us/library/cc962100.aspx
How Private Keys Are Stored. http://technet.microsoft.com/en-us/library/cc962112.aspx
How Certificates Are Stored. http://technet.microsoft.com/en-us/library/cc962104.aspx

Advanced EFS Data Recovery. http://www.elcomsoft.com/aefsdr.html
http://www.elcomsoft.com/WP/advantages_and_disadvantages_of_efs_and_effective_recovery_of_encrypted_data_en.pdf


To find out which files on your system have been encrypted with EFS. CIPHER.EXE /U /N

By creating a new recovery agent certificate, and backing up the certificate and private key currently (current logged on user) to a USB thumb drive, will give you a fail-safe should your need to reinstall the OS.

New recovery agent certificate:
CIPHER /r:PathNameWithoutExtension

Backup Keys:
CIPHER /x[:PathName]

Note 2.CIPHER commands. http://ss64.com/nt/cipher.html

Create a recovery certificate for encrypted files. http://windows.microsoft.com/en-au/windows-vista/create-a-recovery-certificate-for-encrypted-files#
Back up Encrypting File System (EFS) certificate. http://windows.microsoft.com/en-au/windows-vista/back-up-encrypting-file-system-efs-certificate
How to back up the recovery agent Encrypting File System (EFS) private key in Windows (XP). http://support.microsoft.com/kb/241201

Once you have removed DirtyDecrypt, you can use these decrypt tools.

Emsisoft Decrypter (http://tmp.emsisoft.com/fw/decrypt_mblblock.exe)
Decrypt Protect. http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/

Should DirtyDecrypt persist, and your having OS issues after removing the trojan, and all else fails - then a new OS reinstall is required.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#7 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:30 AM

Posted 26 July 2013 - 09:25 PM

As explained already, using Trojan.Ransomcrypt.D (http://www.symantec.com/security_response/writeup.jsp?docid=2013-071012-1247-99&tabid=2) the trojan creates the private keys for the EFS in RootDirectory\Documents and Settings\< username>\Application Data\Microsoft\Crypto\RSA
 

I am sorry, but, cannot find where the Symantec link addresses that the trojan creates the private keys in RootDirectory\Documents and Settings\< username>\Application Data\Microsoft\Crypto\RSA

 

As mentioned before, I am not en expert, at anything, however, Google is my friend. The info found leads one to believe that Private keys may be stored as described, however, these are keys stored there by the computer user who encrypts a file, and only this user, or a designated Recovery Agent can decrypt the file.

 

Without the encryptor's private key an OP will get nowhere in a hurry. It seems rather unlikely that the malware creator is going to allow the storing of the Private Key in the above location.


Old duck...


#8 Crazy Cat

Crazy Cat
  • Topic Starter

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:06:30 PM

Posted 26 July 2013 - 10:14 PM

As explained already, using Trojan.Ransomcrypt.D (http://www.symantec.com/security_response/writeup.jsp?docid=2013-071012-1247-99&tabid=2) the trojan creates the private keys for the EFS in RootDirectory\Documents and Settings\< username>\Application Data\Microsoft\Crypto\RSA


I am sorry, but, cannot find where the Symantec link addresses that the trojan creates the private keys in RootDirectory\Documents and Settings\< username>\Application Data\Microsoft\Crypto\RSA
 
As mentioned before, I am not en expert, at anything, however, Google is my friend. The info found leads one to believe that Private keys may be stored as described, however, these are keys stored there by the computer user who encrypts a file, and only this user, or a designated Recovery Agent can decrypt the file.
 
Without the encryptor's private key an OP will get nowhere in a hurry. It seems rather unlikely that the malware creator is going to allow the storing of the Private Key in the above location.

I have copied & pasted it from the "Technical Details" tab on http://www.symantec.com/security_response/writeup.jsp?docid=2013-071012-1247-99&tabid=2

%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\76c6693205311293dabe1dd1d619ff3d_7d2d450e-594b-4214-a88e-adb179f21516
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\92bd0cb3bb654c3ca25f64427cd8bdff_7d2d450e-594b-4214-a88e-adb179f21516
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\c454754cf8997ff64bf863f7a733297e_7d2d450e-594b-4214-a88e-adb179f21516
%UserProfile%\Application Data\Microsoft\Crypto\RSA\[SID]\f841fc663738bb69a5edcfa7a046c624_7d2d450e-594b-4214-a88e-adb179f21516
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#9 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:30 AM

Posted 26 July 2013 - 11:10 PM

Thanks for the info.

Old duck...


#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,270 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 27 July 2013 - 09:59 AM

Crazy Cat, I am not sure where you are getting your information from, but your missing some key points. Your information about EFS is definitely handy, but doesnt apply to this infection.

First, Emsisoft Decrypter has nothing to do with this infection. Also the second link regarding the decryption tools just points to a page about Fabian's tool.

Second, Fabian and other analysts have examined this ransomware and it does not use EFS to encrypt the files regardless of the keys being stored in that folder.

Third, if it was using EFS I would hazard to guess that the developer would delete the certificate. What would be the point of leaving the cert and private key on the computer to easily decrypt the files?

Last, but not least, the current version of DirtyDecrypt uses a new lock screen, which is disgusting (contains child pornography) to say the least.

#11 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:30 AM

Posted 27 July 2013 - 10:59 AM

Since a few people asked me to comment on this topic and I don't want to reply to everyone personally:

Dispite what Crazy Cat claims, the malware does not use EFS at all. By definition the malware can't use EFS, because of the way it delivers its ransom note. DirCrypt (that's the more or less official name adopted by many companies for this malware) prepends encrypted files with its ransom note. That ransom note is usually of a similar format as the original file. So if you double click the encrypted file, you end up with the ransom note being displayed as a picture, video, Word file, or whatever else the original file format was. Here is the problem: EFS only allows to enable or disable encryption on a file level. It is not possible to have some portion of a file encrypted, while other portions of the very same file are unencrypted, which would be necessary for the malware to work properly.

In fact, if you take the very same malware sample Crazy Cat posted above, let it infect a system, and then use Cipher to get a list of all EFS encrypted files, you get exactly nothing:

rIR0ZrD.png

But what about those RSA files? Do they contain any keys that could be used to decrypt your files? The answer is: At one point they might have. But they are overwritten by the malware. This is what a normal RSA key file would look like:

oeBQBT6.png

This is how the key file looks like, after the malware is done with it:

VQQ7rXV.png

You don't need to understand the exact format. But I think it is obvious that a whole bunch of information is missing in the second file, compared to the first.

I hope this clears things up a bit :).
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#12 Crazy Cat

Crazy Cat
  • Topic Starter

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:06:30 PM

Posted 27 July 2013 - 07:56 PM

Thanks for clearing that up Fabian.

Since I don't have the malware a hand (currently), or could find the disassembled malware code online, I had to rely on the Symantec Trojan.Ransomcrypt.D info.

I was hoping I could find it here, http://www.openioc.org/ since they have the Stuxnet.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#13 brett02

brett02

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 29 July 2013 - 01:07 AM

I wanted to add I have been looking everywhere for an answer to this. But when I open WInhex and compare my one jpeg to the backup size wise they are identical but when in winhex there is a difference in the beginning. Am I on to something that can resolve this? I remember years ago something similar happening to a couple of my photos but was able to simply run a program and good to go. I see this is spreading is there anything in the works to get this resolved and should I just hold tight with my encrypted files ?



#14 Arvind0007

Arvind0007

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:30 AM

Posted 29 July 2013 - 05:56 AM

Couple of things I noticed with the encrypted files:

  • When you open a word file on a PC that has not got Office loaded in it, it gives you a 'save as' window. I also found that it shows a .xml file format somewhere.
  • When I tried to open a .jpg file using Irfanview, it says the file is in the wrong format as it's a .PNG file. Probably the encryption it is using is that used in Mac.. I renamed it to .png but it still gives the DirtyDecrype.exe logo

Hope the above can be helpful to those working hard of determining a way to decrypt this virus


Edited by Arvind0007, 29 July 2013 - 07:14 AM.


#15 Crazy Cat

Crazy Cat
  • Topic Starter

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:06:30 PM

Posted 31 July 2013 - 05:46 AM

Couple of things I noticed with the encrypted files:
When I tried to open a .jpg file using Irfanview, it says the file is in the wrong format as it's a .PNG file. Probably the encryption it is using is that used in Mac.. I renamed it to .png but it still gives the DirtyDecrype.exe logo

Trojan.Ransomcrypt.D (http://www.symantec.com/security_response/writeup.jsp?docid=2013-071012-1247-99&tabid=2)

%UserProfile%\Application Data\Dirty\alertwall.jpg

Lets assume alertwall.jpg = 2013-071012-1247-99.1.jpg

Save https://www.symantec.com/content/en/us/global/images/threat_writeups/2013-071012-1247-99.1.jpg to PC. It's JPG file.

Rename 2013-071012-1247-99.1.jpg to 2013-071012-1247-99.1.jpg.png and view. Still looks the same.

Now, rename 2013-071012-1247-99.1.jpg.png to imagefile.jpg and save to C:\test\

Copy any .rar file you have to C:\test\

Open a command prompt (Run > cmd) to C:\test\ and run: copy /b imagefile.jpg + *.rar rar.jpg

This will merge the imagefile.jpg with the .rar file to produce rar.jpg - but all you can view is the picture file imagefile.jpg

Rename rar.jpg to rar.jpg.rar so you can open it with the RAR application.

I'll post my full results (and conclusion) when complete.

Edited by Crazy Cat, 31 July 2013 - 05:48 AM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users