Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Assistance needed for writing manual ransomware recovery software.


  • Please log in to reply
10 replies to this topic

#1 FastCode

FastCode

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 03 September 2017 - 10:13 AM

Hi,

Backstory:

I design/write applications, do database work, network security, database security, and do anything related, and so I was called when My friend got hit with 'crysis.6/dharma.onion' few weeks ago and it took me about 5 days to recover his data, hooray, not really, the guys who wrote the software for him didn't have the executable matching his database(lolwut, yes, me too), hey I got the db, data was intact, at least we could read it.

TL;DR For a friend, I did the math on paper and came up with a way to repair the files with minimal damage.

 

What I did afterwards:

And then wrote a small piece of software that could automate some of the steps; it was hardcoded for MSSQL database mdf files hit with dharma.

After receiving a lot of emails from a lot of people asking for help(100+ emails exchanged, who knew) and having to turn away some of them because of lack of time I decided I could write another program for a wider range of ransomware capable of doing a little more.

 

Why:

Some people are probably screaming in their mind right now that such software already exists, the answer is yes and no, the current software uses 'published'(crysis) or 'recovered' decryption keys, uses 'flaws'(rand(time()); lol) in the ransomware, or tries to recover keys from memory(wannacry).

 

How:

What I have in mind is repairing specific types of files with valuable data in a case by case manner with user intervention using either older backups as a reference and/or doing educated guesses about the file structure.

 

What:

What file types are windows people using these days? (sorry, I'm a linux guy)

First we need a database of files both not encrypted and encrypted with different malware and as much information about them as possible, like their path, their original content and such.

 

Where:

The project will be put on github with Affero-GPL license, I don't want to give anyone false hope but I'll do my best, not a single line of code has been written yet, because I need to study the files first.

 

Donations for when I release the software, since I can't have a signature yet: 36YxSK68nZKGzctwcuVWp5vBnV1PjsLuTk

 

Final request: As much as I love applause and approval, please don't post 'me too', 'yes, please', ...; We all know how we feel. Just post your samples here or PM them to me If they're confidential and you don't want them out in the open.


Edited by FastCode, 03 September 2017 - 12:58 PM.


BC AdBot (Login to Remove)

 


#2 MarkInBucks

MarkInBucks

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 04 September 2017 - 11:16 AM

I will rally some files, encrypted and unencrypted (recovered from backup).
Where do I upload them to?



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:33 AM

Posted 04 September 2017 - 12:33 PM

An in-depth knowledge of each file format would be required of course to get anywhere with such a project, as you'd be trying to recreate the headers from scratch. You also are relying on certain strains of ransomware that do not encrypt the full file, which isn't always the case of course. Usually the main reason database files can sometimes be recovered is because the first few KB are generally just 0's and metadata. You have to really rely on the malware not destroying just enough of the file to make sense of the rest.

 

Usually there are file repair tools out there for most common formats. I've not used many to any extent personally (except .pst repair tools, but only from genuine corruption), but I just want to make sure you aren't re-inventing the wheel here.

 

The difference may be if you are open-sourcing it though, and making it modular to add additional formats in the future. Most recovery tools are paid, or have limitations (e.g. under 10MB, or limit one file).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 FastCode

FastCode
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 04 September 2017 - 04:24 PM

I will rally some files, encrypted and unencrypted (recovered from backup).
Where do I upload them to?

anywhere is fine, whatever you feel comfortable using.



#5 FastCode

FastCode
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 04 September 2017 - 04:49 PM

An in-depth knowledge of each file format would be required of course to get anywhere with such a project, as you'd be trying to recreate the headers from scratch. You also are relying on certain strains of ransomware that do not encrypt the full file, which isn't always the case of course. Usually the main reason database files can sometimes be recovered is because the first few KB are generally just 0's and metadata. You have to really rely on the malware not destroying just enough of the file to make sense of the rest.

 

Usually there are file repair tools out there for most common formats. I've not used many to any extent personally (except .pst repair tools, but only from genuine corruption), but I just want to make sure you aren't re-inventing the wheel here.

 

The difference may be if you are open-sourcing it though, and making it modular to add additional formats in the future. Most recovery tools are paid, or have limitations (e.g. under 10MB, or limit one file).

 

TL; DR: Yes and no, yes, yes, yes, and yes. true, Am not. of course, yes, and that's their business model otherwise no one would pay.

 

Hi,

 

There are file repair tools, that's true. but they all repair the file that you give them assuming that's the only thing you got, those damn things don't even allow the user to set encoding, enter metadata manually or do anything interactively, you literally can't tell a $2000 program that you KNOW that your data is SHLed by 2 bytes, nope, nada.

In case of ransomware attacks the files are not fully encrypted because they're impossible to do sometimes. You just can't encrypt a 6TB database before you get discovered, so the ransomware writer has to settle for a small portion or stripes or something.

What I'm trying to do here is finding the missing data in the originals/backups to substitute the corrupted parts with; based on file contents(parsing content or pattern matching or just manual offsets entered by user) and malware type(entered by users or auto detected).

yes, but it's not that hard, for example with the MDF databases that I recovered in the dharma topic I fixed most of the corruptions with just a few cuts and stitches(lol) and only had to change things manually a few times, most people got their data back intact.

And I don't think i need that much in-depth info on formats.

For example if I want to recover excel databases, I don't need to know how office deserializes OOXML, I only need to know where in the XSLT I am and what I need to put before the tags to make the rest of it work, the user may lose a few sheets of data but he gets the rest back, that's a win for a lot of people.

 

I do love modular designs, I will try.

 

Thanks for the questions, I think many others must have had similar questions.


Edited by FastCode, 04 September 2017 - 04:52 PM.


#6 MarkInBucks

MarkInBucks

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 04 September 2017 - 09:41 PM

 

I will rally some files, encrypted and unencrypted (recovered from backup).
Where do I upload them to?

anywhere is fine, whatever you feel comfortable using.

 

Sent DropBox link in PM.
Thanks



#7 RolandJS

RolandJS

  • Members
  • 4,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:10:33 AM

Posted 04 September 2017 - 09:53 PM

What will be a challenge:  like the military, you do not only want to fight the last war, you want to be able forecast enough to hopefully be able to hold one's own in the next war. For example, Poland, prior to WWII, had the finest horse/cavalry army in the world.  They were more than able to fight any war that used the same tools that were used in previous wars.  However, evil Hitler and his generals developed a new war -- blitzkrieg with tanks and troops and whatall, that tragically put an end to the finest horse/cavalry army in the world.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#8 FastCode

FastCode
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 04 September 2017 - 10:46 PM

Mom, get the camera, I've just been godwined./sarcasm

seriously, I just said what I'm doing, I'm not trying to do the impossible here.



#9 RolandJS

RolandJS

  • Members
  • 4,525 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:10:33 AM

Posted 04 September 2017 - 11:18 PM

Mom, get the camera, I've just been godwined./sarcasm  -- seriously, I just said what I'm doing, I'm not trying to do the impossible here.

No Godwin or sarcasm intended whatsoever   :)   I'm just wanting to give you what I thought is a morsel of food for thought, no more, no less.  And, good to meet you! a new-found friend   :)


Edited by RolandJS, 05 September 2017 - 09:44 PM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#10 FastCode

FastCode
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:08:03 PM

Posted 05 September 2017 - 02:37 PM

I have some bad news. Apparently the 'dharma.arena' variant encrypts at least 3 stripes of data, from beginning, middle and the end of file.

Each stripe is 256KiB like before. The trailers in the files that were provided by MarkInBucks contain 320 and 274 more bytes of data which must contain the file path, if the pathes(of the larger files) can be provided I can try to understand what more is there since the pathes apear to be encrypted too.

The offsets of the stripes are encoded in little-endian 8 byte integers in the added file trailer.

To see if the number of stripes increases you can check if larger files have considerably larger encrypted size and how much larger(I don't think a sample is required)

The file trailer is not even word-aligned...

 

This is the file lengths and deltas in csv format(just copy paste in a csv file) for anyone else interested:

Encrypted, Original, Difference, mod 256k, Offset lengths subtracted,Offsets

12988852, 12202084, 786768, 336, 320,00 00 00 00 00 21 10 3E & 00 00 00 00 00 64 30 B6

12010094, 11223372, 786722, 290, 274,00 00 00 00 00 C4 15 39 & 00 00 00 00 00 4C 41 A7

667746, 667519, 227

563378, 563145, 233

543618, 543384, 234

500802, 500561, 241

179248, 178962, 286

85788, 85504, 284

54722, 54484, 238


Edited by FastCode, 05 September 2017 - 02:45 PM.


#11 JaCKeSito

JaCKeSito

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 06 September 2017 - 06:57 AM

I was infected via RDP port with the DHARMA / CRYSIS variant.
 
The files were renamed with ".cesar" extension
 
 
Get back up .zip backups with the winrar repair tool. Recover 99%!
 
I sent an email to the account spiderlock@cock.li and returned a decrypted file.
 
*****************************************************************
Attached the original file and decrypted for analysis (105KB)
 
 
*****************************************************************
 
Thanks!

Edited by JaCKeSito, 06 September 2017 - 06:58 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users