A new ransomware family was snuffed in its crib today after security researchers tracked it down, analyzed its source code for weaknesses, and released a decrypter in less than 24 hours.
Discovered by MalwareHunterTeam and _operations6_, first signs of this threat appeared yesterday evening when a spam campaign started distributing Word files that would download and install the ransomware on users' computers.
The ransomware, named Marlboro, comes with separate versions for 32-bit and 64-bit systems, which is the first time we've seen ransomware drop two separate installers depending on the target's architecture. Other malware, such as backdoor trojans, banking trojans, or PoS malware employ this technique quite often.
Marlboro's downloaders are fetched from free hosting accounts, which have been suspended in the meantime. Despite the usage of free hosting to store the Marlboro binaries, a researcher that wanted to remain anonymous said the "[spam] campaign was really well crafted," as the threat actor appeared to have more knowledge of spam distribution methods rather than malware coding.
Marlboro uses XOR encryption to encrypt the user's files. All encrypted files will be renamed and will receive an extra ".oops" extension at the end. For example, a file named "image.png" will be renamed to "image.png.oops".
After the encryption process ends, the ransomware will drop and open a ransom note on the user's computer. This file is named "_HELP_Recover_Files_.html," pictured below.
The ransom note alleges that the Marlboro ransomware uses a strong combination of AES and RSA encryption to unlock the user's files. This is a lie.
The ransomware also drops a second file on the user's desktop, which is a decrypter created by the Marlboro author himself. This file's name is "deMarlboro,", which also gives the ransomware's name.
The decrypter works by checking the crook's server for a ransom payment and then starting the decryption process. The decrypter also contains a human operator challenge to block users from spamming the author's server with requests.
First victims appeared today when infected users started uploading their ransom notes and encrypted files on the ID-Ransomware service that helps users identify the ransomware that locked their files.
According to current statistics, only Serbian and Croatian users appear to have been targeted by Marlboro's first wave. According to MalwareHunterTeam, the emails have been spoofed to disguise them as emails from Maxi, a local store chain. The company has put out a message warning users to not open any files they received from Maxi emails.
The good news is that security researchers quickly identified a problem with the ransomware's encryption routine and created a free decrypter to help victims recover their files.
The decrypter, created by Emsisoft CTO and security researcher Fabian Wosar, is available via the Emsisoft website. Wosar was quick to identify several bugs in the ransomware's mode of operation.
"Due to a bug in the malware's code, the malware will truncate up to the last 7 bytes from files it encrypts," the researcher said. "It is, unfortunately, impossible for the decrypter to reconstruct these bytes." Nevertheless, for some files those bytes are insignificant and won't mangle their content.
The overall quality of the Marlboro ransomware source code is low, according to both MalwareHunterTeam and Wosar. In fact, some of the ransomware's inner guts appear to have been put together using code borrowed from StackOverflow's C++ section.
Marlboro seems to be done by a Stack Overflow C++ reader. Why the hell do you need boost to do a simple XOR? Script kiddies these days ...— Fabian Wosar (@fwosar) January 12, 2017
Word File: a2cf2ccc1d4a71ead386156b8c39a4f6240068cf9af485513284bf98662ae9b3 Downloader: a95d7606d17b221bca0960d04bffdc5ff1585ca13a2511bbf5347a732a3a025c 32-bit Binary: b5c37f3cf90026a815925aa4d53882823221c97127a378f0beb1b8276686caad 64-bit Binary: 1392f228397b8df531194c6c8945b83a02138e150a17483bb298c6168cbd50e9