Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rokku Ransomware Help & Support Topic - README_HOW_TO_UNLOCK.TXT Unlock Service


  • Please log in to reply
7 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:05 PM

Posted 31 March 2016 - 08:23 PM

A new ransomware is in the wild called the Rokku Ransomware that appears to encrypts your data using RSA-512 (not confirmed yet) and then adds the .rokku extension to encrypted files.  When the Rokku Ransomware encrypts your files it will encrypt each file with its own key that it will embed in the file. These individual file keys will be stored in an encrypted form that only the malware developer knows the decryption key for.

 

This ransomwar will create throughout your drive and in the Windows startup folder ransom notes called readme_how_to_unlock.txt and readme_how_to_unlock.html. These notes will contain a link to the TOR decryption site for this ransomware called the Unlock Service.

 

readme_how_to_unlock-txt.png

 

When a victim goes to the site, they will need to upload one of the encrypted files in order to gain access. On in the Unlock Service site you will see your unique victim ID and a bitcoin address you need to send payment to in order to purchase the decryption key. The current cost for decryption is .24 Bitcoins or approximately 100 USD.

 

unlock-service-redacted.png

 

This site will also provide a decryptor that you can download to decrypt one free file or all of your files if you pay the ransom.

 

At this time, there is no known way to decrypt the file, though one may be possible due to the weak encryption used.



BC AdBot (Login to Remove)

 


m

#2 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:06:05 PM

Posted 31 March 2016 - 09:56 PM

Quietman, there is a topic you might want to combine with this: "encrypted .rokku files and possible decryption?"


We are drowning in information - and starving for wisdom.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,940 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:05 PM

Posted 06 April 2016 - 07:48 AM

Quietman, there is a topic you might want to combine with this: "encrypted .rokku files and possible decryption?"

That topic has been closed to avoid confusion and the victims have been referred to this support topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 MarcAndreServant

MarcAndreServant

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 23 April 2016 - 09:52 AM

I took a look in a debugger. It seems, contrary to the information in the news article on the home page, that the ChaCha encryption algorithm is used for the main file encryption loop, in addition to or instead of the Salsa20 algorithm. The constants used in the bitwise rotates give it away.

 

It also seems that the files are encrypted in 32KB blocks, and that only two rounds of the encryption algorithm are executed per block (if so, that is a major flaw and differential cryptanalysis would be trivial). I could be wrong, though, as I didn't actually follow the executing code that closely. The encryption also proceeds correctly while offline, which indicates that the same RSA-512 key is used for all victims to allow the crook(s) to decrypt it once a file is sent. This is important, as factoring a key for each victim (~150$) would be more expensive than paying the ransom. However, factoring once and decrypting everyone could be viable, at least until the malware authors beef up the encryption strength.

 

http://pastebin.com/9i5FxDDu



#5 MarcAndreServant

MarcAndreServant

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 23 April 2016 - 01:49 PM

Looks like the RSA-512 modulus is:

 

Hex:
08C9BCF367E6096A
3BA7CA8485AE67BB
2BF894FE72F36E3C
F1361D5F3AF54FA5
D182E6AD7F520E51
1F6C3E2B8C68059B
6BBD41FBABD9831F
79217E1319CDE05B
 
Decimal:
46026697068850239021
20037024498287996621
62023050833782335250
24987556908217232261
92947469347106858941
40405849489599670169
69276493333470645804
1665798922331
 
This is, indeed, hardcoded, so everyone's keys are encrypted with the same modulus and exponent. Now we need to factor this, and every victim will have access to their files for free. This should take ~3 months on a laptop, or ~10h on a supercomputer. By today's standards, this is exceedingly weak encryption.
 
EDIT: I had the endianness wrong. There is no point in factoring this number, it is prime. Note that RSA private keys contain a private exponent, but not the factors of the modulus directly. So this is probably not RSA, or else the malware authors were so careless as to include the factors in their binary, but at this point I'm thinking this is either DSA or some other algorithm where a prime is a public parameter.

 

FiP15Gn.png


Edited by MarcAndreServant, 23 April 2016 - 10:18 PM.


#6 MarcAndreServant

MarcAndreServant

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 26 April 2016 - 11:50 AM

EDIT: 
I analysed the output of the algorithm. This is valid, locally implemented SHA-512, not RSA. Why the authors took the trouble to implement this locally and didn't just use OpenSSL, I don't know. Why they would hash a random value to make it "more random" (unnecessary), I don't know. But I'm still looking for the weak RSA keys. I have opened an Amazon EC2 account, as 50 dual socket 36-core 72-thread Xeon servers with 60GB of RAM each are likely more efficient at running Msieve than my i3 laptop with 4GB of RAM.



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,247 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:05 PM

Posted 26 April 2016 - 03:13 PM

EDIT: 
I analysed the output of the algorithm. This is valid, locally implemented SHA-512, not RSA. Why the authors took the trouble to implement this locally and didn't just use OpenSSL, I don't know. Why they would hash a random value to make it "more random" (unnecessary), I don't know. But I'm still looking for the weak RSA keys. I have opened an Amazon EC2 account, as 50 dual socket 36-core 72-thread Xeon servers with 60GB of RAM each are likely more efficient at running Msieve than my i3 laptop with 4GB of RAM.

 
Thanks for your hard work on this. Have you seen Googulator's assessment of the asymmetric algorithm used?

 

Done some analysis. The asymmetric algorithm used is Curve25519, not RSA. So, not vulnerable.

Also, the bulk encryption is done using ChaCha, not Salsa20.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 MarcAndreServant

MarcAndreServant

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 26 April 2016 - 06:35 PM

 Thanks for your hard work on this. Have you seen Googulator's assessment of the asymmetric algorithm used?

 

 

Yes. Unfortunately, this might not be decryptable. Also, the low number of rounds for ChaCha doesn't seem exploitable, as any differential would require many gigabytes of data to show up, and the key changes for each file, forcing us to start all over again. The random numbers are obtained through kernel calls. They did it the proper way, not with srand(time(NULL)).






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users