Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hello


  • Please log in to reply
2 replies to this topic

#1 oasis375

oasis375

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 29 May 2016 - 06:39 AM

Hello. Another guy here victim of ransomware, and trying to fight back.

This threat is worst than traditional viruses, because ransomware is lucrative.



BC AdBot (Login to Remove)

 


#2 minkimmik

minkimmik

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 29 May 2016 - 05:33 PM

What happened ? After being infected, I noticed an unusual HDD activity in my laptop, so I found the exe (Task Manager) and stopped it (before it self-deletes). This specific version copies itself to this folder: C:\Userds\\AppData\Roaming\{915B610A-3A50-EC83-B668-A1F2716850AF} and renames to a system related keyword like "shutdown", "svchost", "winlogon", etc. When it has Internet connection, it gets the IP info from webs ipinfo.io, freegeoip.net, ip-api.com (country filtering?), and starts a partial IP scan of servers 85.93.0.x to 85.93.63.x (class C scan), looking for port 6892 (UDP, ICMP protocols). I found out that this program operates offline, it doesn't send or receive any data from any server. Besides, any configuration (IP, time, SO, system, etc.) is irrelevant. It uses a keygen that generates valid ID codes that are recognized by the web server. With that ID, it asks you to visit a URL, like: http://cerberhhyed5frqa.tewoaq.win/82A8-0ED1-7C78-006B-0C0B (see the list of domains in the "# DECRYPT MY FILES #.txt" notice). After selecting your language and entering a captcha (for "security reasons"!, they say), a countdown timer starts counting down to 5 days. Remember that the program operates offline, that means that they really doesn't have any info about your case, so you can generate another code and start again. They give you the opportunity to "Decrypt 1 file for free". I have played with Cerber in this setting: I run the exe in a VM snapshot with network disabled. When the process stops, the target files are encrypted. I use this setting as a keygen, that way I can visit the URL with the ID code and decrypt one file (smaller than 512KB). My discovery is that it seems that other versions of the exe (with different hash) use the same password (decryption key). That way, the server distributes always the same decrypter program. I have experimented modifying the exe. At the end of it there is a 256-char string, but changing a byte doesn't affect to the encryption (that's not password related). akOmFVnYPom+0LFumcTnI6OFMa4ErwvKTbCe/krhKWKU9X6gazsiYwfJcHs1n42qJEtVIhg+6HCKHpljlFmb/Rgx7AtzUWGhlFMIS7K/+YqQcjrRy7IOW7mpi7MGggQ=|BgUl4nb9|XFbYNl1RvF4O7G7gNnJsrbqputCHf9cfCbUzj4ARaAb3SoR1rOZxZDC3SIiemcjtal2TuuG5v7nB6VFGLdEGSK4EfmVkjjoG6InnXYuYWzDyaoUQej5V7s In my setting, I put a known file.txt (in C:\Users\\Documents) to see how the encrypter works. Each encryption process produces a different file. With that encrypted output, I visit the URL and decrypt the file. If you modify 1 byte of the *.cerber file, it doesn't decrypt. On the other hand, the filename is irrelevant, because the file can be decrypted if it's renamed. That means, the filename is included in the file. TO DO: Hack the exe and try to find the password. My theory is that all exe's use the same passwords. https://www.dropbox.com/s/ohaoltgtqskdpv7/%23%20DECRYPT%20MY%20FILES%20%23.txt?dl=0 https://www.dropbox.com/s/ma6p3mjpm4lq5oy/malware-cerber.rar?dl=0 (password for rar is "ransomware") Edited by oasis375, 29 May 2016 - 07:09 AM.

#3 jcgriff2

jcgriff2

  • BSOD Kernel Dump Expert
  • 1,081 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey Shore
  • Local time:04:51 PM

Posted 02 June 2016 - 08:29 PM

Welcome to Bleeping Computer Forums!


Microsoft MVP 2009-2015
Microsoft Windows Insider MVP 2018 - Present




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users