Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.fware linux php ransomware, restore corrupted mysql data files


  • Please log in to reply
5 replies to this topic

#1 antoinek

antoinek

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 21 June 2017 - 12:52 PM

Hello everyone,

 

my web server got infected by some sort of ransomware (not sure how it got in, but the machine was running older versions of apache/php). What I found were lots of README_FOR_UNLOCK.txt, ware.php, and .htaccess files, and the encrypted files (php source, some git repo files, mysql data files) had .fware extensions. After some digging I found the encryption php script (cli.php), and after some time I managed to de-obfuscate the source and figure out the (luckily) deterministic encryption key and managed to write a script for decrypting files. (I'm happy to provide the original scripts as well as my decryption scripts in case someone is interested.)

 

This seems to work fine for text files, but I did run into some issues with binary files in particular mysql database files that are pretty heavily corrupted. The reason seems to be that the code applies trim() to the file contents before encryption, removing any combination of bytes 0x00, 0x09, 0x0A, 0x0B, 0x0D, 0x20 at the beginning and end of the file, losing all that information. Since the files don't just have some random corrupted bytes somewhere, but missing pre-fixes and suffixes this understandably confuses the standard mysql tools quite a bit.

 

So my question is does anyone have experience recovering mysql files from something like this, and/or suggestions for how to go about recovering as much data as reasonably possible?

 

Thank you in advance

Antoine



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:00 PM

Posted 21 June 2017 - 03:33 PM

KimcilWare Ransomware uses files named README_FOR_UNLOCK.txt but it is an older ransomware infection and I do not believe it ever used the .fware extension.

Did you submit any samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 antoinek

antoinek
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 21 June 2017 - 04:07 PM

Thanks for your reply! From what I remember (I can double check later today when I get home) it came back as KimcilWare based on the filename. But looking at the source it looks a bit different from what I found online (https://blog.fortinet.com/2016/04/01/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it). The key generation is completely different (it basically just uses the hostname) and the code looks pretty similar to this: https://github.com/bug7sec/Ransomware/blob/master/v2/AwesomeWare.php (same class/function names, but it does use RIJNDAEL 256 with EBC). At this point I'm less concerned with identifying it since I've already decrypted the files, but again I'm happy to provide the source if anyone is curious.

 

My concern is how to deal with the corrupted files after decryption because of the use of trim on the clear text before encryption.


Edited by antoinek, 21 June 2017 - 04:07 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:00 PM

Posted 21 June 2017 - 04:25 PM


How to deal with the corrupted files after decryption is more of a question for one of our crypto malware experts. Hopefully, one of them will see this topic and reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 antoinek

antoinek
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:00 AM

Posted 23 June 2017 - 01:39 PM

Is this the right forum for this then, or do you have another suggestion of where I should try?

 

Thanks



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:00 PM

Posted 23 June 2017 - 02:39 PM

This is the correct forum. If no one replies, that usually indicates they have no helpful information or cannot assist at this time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users