Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How-To-Decrypt PowerShell Ransomware flaw makes recovery impossible


  • Please log in to reply
3 replies to this topic

#1 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:18 AM

Posted 15 August 2014 - 10:02 AM

A new file-encrypting ransomware has been floating around that we have named the How-To-Decrypt PowerShell Ransomware because of the filenames of the ransom notes and the technology it uses. This ransomware is based off of the code from the Poshkoder malware that is part of the PowerWorm family. PowerWorm is a name given to newer Powershell Infection scripts that steal information, and even encrypt users files similar to CryptoWall, Cryptolocker, and Cryptorbit. One of the more successful PowerWorm Encrypting scripts is PoshKoder. This infection would enter the machine by opening infected office files and then would continue to infect your office files in hopes that you will send them to family, friends, and coworkers and infect them as well. Once running the malware would encrypt your files with a AES key, which is in return encrypted with a RSA key. Although this infection was quite successful for what it was made for, it was short lived.
 
It seems though that other cyber criminals have shown interest in these PowerWorm scripts as different variants of them have been popping up all over the place. The most likely reason is that they are made in PowerShell, and it is easy to get the infections source code. It is from this that the "How-To-Decrypt" Powershell ransomware was born from.
 
Numerous victims have contacted us about this ransomware over some time, but it was only till recently that we were able to retrieve the dropper. Below are images of the ransom notes that will be displayed when your files are encrypted. Please note that there are many ransomware that use similar ransom note names, so you can confirm if you have this infection by comparing the ransom note screens below.
 

decryption-site.png
HOW-TO-DECRYPT / HOWTODECRYPT Ransomware "Decryption" Site


ransom-note.png
HOW-TO-DECRYPT / HOWTODECRYPT Ransomware Ransom Note



HOW-TO-DECRYPT / HOWTODECRYPT Ransomware Analysis


HOW-TO-DECRYPT / HOWTODECRYPT Ransomware is nothing more than the encryption script taken from the Poshkoder infection and wrapped in a EXE launcher. Upon execute of the infection, it will place the encryption script in the Temporary Folder, and use a embedded library to execute the script without interruption. After execution the infection uses a hardcoded password and seed to create a AES CBC key, and loop through every file on every available  drive looking for a list of files to encrypt. Below is the array of extensions taken from the infection:
 

"*.doc","*.xls","*.docx","*.xlsx","*.mp3","*.waw","*.jpg","*.jpeg","*.txt","*.rtf","*.pdf","*.rar","*.zip","*.psd","*.tif","*.wma","*.gif","*.bmp","*.ppt","*.pptx","*.docm","*.xlsm","*.pps","*.ppsx","*.ppd","*.eps","*.png","*.ace","*.djvu","*.tar","*.cdr","*.max","*.wmv","*.avi","*.wav","*.mp4","*.pdd","*.css","*.php","*.aac","*.ac3","*.amf","*.amr","*.dwg","*.dxf","*.accdb","*.mod","*.mp1","*.mpa","*.tax2012","*.tax2013","*.tax2014","*.oga","*.ogg","*.pbf","*.ra","*.raw","*.saf","*.val","*.wave","*.wow","*.wpk","*.3g2","*.3gp","*.3gp2","*.3mm","*.amx","*.avs","*.bik","*.dir","*.divx","*.dvx","*.evo","*.flv","*.qtq","*.tch","*.rts","*.rum","*.rv","*.scn","*.srt","*.stx","*.svi","*.swf","*.trp","*.vdo","*.wm","*.wmd","*.wmmp","*.wmx","*.wvx","*.xvid","*.3d","*.3d4","*.3df8","*.pbs","*.adi","*.ais","*.amu","*.arr","*.bmc","*.bmf","*.cag","*.cam","*.dng","*.ink","*.jif","*.jiff","*.jpc","*.jpf","*.jpw","*.mag","*.mic","*.mip","*.msp","*.nav","*.ncd","*.odc","*.odi","*.opf","*.qif","*.qtiq","*.srf","*.xwd","*.abw","*.act","*.adt","*.aim","*.ans","*.asc","*.ase","*.bdp","*.bdr","*.bib","*.boc","*.crd","*.diz","*.dot","*.dotm","*.dotx","*.dvi","*.dxe","*.mlx","*.err","*.euc","*.faq","*.fdr","*.fds","*.gthr","*.idx","*.kwd","*.lp2","*.ltr","*.man","*.mbox","*.msg","*.nfo","*.now","*.odm","*.oft","*.pwi","*.rng","*.rtx","*.run","*.ssa","*.text","*.unx","*.wbk","*.wsh","*.7z","*.arc","*.ari","*.arj","*.car","*.cbr","*.cbz","*.gz","*.gzig","*.jgz","*.pak","*.pcv","*.puz","*.r00","*.r01","*.r02","*.r03","*.rev","*.sdn","*.sen","*.sfs","*.sfx","*.sh","*.shar","*.shr","*.sqx","*.tbz2","*.tg","*.tlz","*.vsi","*.wad","*.war","*.xpi","*.z02","*.z04","*.zap","*.zipx","*.zoo","*.ipa","*.isu","*.jar","*.js","*.udf","*.adr","*.ap","*.aro","*.asa","*.ascx","*.ashx","*.asmx","*.asp","*.indd","*.asr","*.qbb","*.bml","*.cer","*.cms","*.crt","*.dap","*.htm","*.moz","*.svr","*.url","*.wdgt","*.abk","*.bic","*.big","*.blp","*.bsp","*.cgf","*.chk","*.col","*.cty","*.dem","*.elf","*.ff","*.gam","*.grf","*.h3m","*.h4r","*.iwd","*.ldb","*.lgp","*.lvl","*.map","*.md3","*.mdl","*.mm6","*.mm7","*.mm8","*.nds","*.pbp","*.ppf","*.pwf","*.pxp","*.sad","*.sav","*.scm","*.scx","*.sdt","*.spr","*.sud","*.uax","*.umx","*.unr","*.uop","*.usa","*.usx","*.ut2","*.ut3","*.utc","*.utx","*.uvx","*.uxx","*.vmf","*.vtf","*.w3g","*.w3x","*.wtd","*.wtf","*.ccd","*.cd","*.cso","*.disk","*.dmg","*.dvd","*.fcd","*.flp","*.img","*.iso","*.isz","*.md0","*.md1","*.md2","*.mdf","*.mds","*.nrg","*.nri","*.vcd","*.vhd","*.snp","*.bkf","*.ade","*.adpb","*.dic","*.cch","*.ctt","*.dal","*.ddc","*.ddcx","*.dex","*.dif","*.dii","*.itdb","*.itl","*.kmz","*.lcd","*.lcf","*.mbx","*.mdn","*.odf","*.odp","*.ods","*.pab","*.pkb","*.pkh","*.pot","*.potx","*.pptm","*.psa","*.qdf","*.qel","*.rgn","*.rrt","*.rsw","*.rte","*.sdb","*.sdc","*.sds","*.sql","*.stt","*.t01","*.t03","*.t05","*.tcx","*.thmx","*.txd","*.txf","*.upoi","*.vmt","*.wks","*.wmdb","*.xl","*.xlc","*.xlr","*.xlsb","*.xltx","*.ltm","*.xlwx","*.mcd","*.cap","*.cc","*.cod","*.cp","*.cpp","*.cs","*.csi","*.dcp","*.dcu","*.dev","*.dob","*.dox","*.dpk","*.dpl","*.dpr","*.dsk","*.dsp","*.eql","*.ex","*.f90","*.fla","*.for","*.fpp","*.jav","*.java","*.lbi","*.owl","*.pl","*.plc","*.pli","*.pm","*.res","*.rnc","*.rsrc","*.so","*.swd","*.tpu","*.tpx","*.tu","*.tur","*.vc","*.yab","*.8ba","*.8bc","*.8be","*.8bf","*.8bi8","*.bi8","*.8bl","*.8bs","*.8bx","*.8by","*.8li","*.aip","*.amxx","*.ape","*.api","*.mxp","*.oxt","*.qpx","*.qtr","*.xla","*.xlam","*.xll","*.xlv","*.xpt","*.cfg","*.cwf","*.dbb","*.slt","*.bp2","*.bp3","*.bpl","*.clr","*.dbx","*.jc","*.potm","*.ppsm","*.prc","*.prt","*.shw","*.std","*.ver","*.wpl","*.xlm","*.yps","*.md3","*.1cd"

After finding a file with the right extension, it will read 23812 bytes into a buffer, Encrypt it, and then rewrite the first 23812 byte of the file with the encrypted bytes. It will continue to do this for every extension in the list from on every drive. In every folder that a file was encrypted in, it will also place a "HOW-TO-DECRYPT.html" or "HOWTODECRYPT.html" file containing instructions on how to "Decrypt" the files. Please, DO NOT PAY FOR THIS DECRYPTION AS YOU WILL NOT GET YOUR FILES BACK! This virus creator likely does not have much experience in coding, or writing an infection at all and cannot decrypt your files.
 
Upon analysis of the infection, at first I figured this would be an easy infection to decrypt. The key and seed are both hardcoded into the script, and the virus creator took out all code that has to do with a server or RSA. But the virus creator chose to ignored errors in his script, and made a rookie encryption error. He didn't use at least a 8 byte seed for the key. This means that instead of using the hard coded key he had in the script, windows generates a random key everytime. This makes recovering the key impossible by me, and even him. So paying for the infection will not result in decrypting your files.
 

anal.png


Sadly, this means that because the virus creator messed up the encryption, decryption isn't possible anymore. Therefore, paying the ransom will do nothing to get your files back and you will just lose the money. Thankfully, this infection does not wipe System restore points, so it is possible using System Restore, Windows Previous Versions feature, or programs like Shadow Explorer to recover your files. More information on how to do this can be found in our CryptoLocker guide here: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#shadow


Edited by decrypterfixer, 15 August 2014 - 10:11 AM.

Have you performed a routine backup today?

BC AdBot (Login to Remove)

 


m

#2 zingo156

zingo156

  • BC Advisor
  • 3,333 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:18 AM

Posted 15 August 2014 - 02:00 PM

Thanks for the write up decrypterfixer!


If I am helping you with a problem and I have not responded within 48 hours please send me a PM.

#3 Nathan

Nathan

    DecrypterFixer

  • Topic Starter

  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:18 AM

Posted 15 August 2014 - 03:13 PM

Always a pleasure :)

 

Can't say Grinler didn't help with my bad spelling ;)


Have you performed a routine backup today?

#4 400d

400d

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 09 January 2015 - 12:37 AM

Hello Nathan,

Have you dealt with original POSHKODER? I will be grateful if you give me a clue how I can decrypt files were broken with it.

Thank you.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users