Crypto-Ransomware: Russian Style. Large-scale Research on Russian Ransomware

Nowadays the Russian segment of the Web is not dominated by CryptoWall or CTB-Locker, Russia has seen the formation of an "ecosystem" consisting of other types of ransom trojans, which generally don't enter the global arena. Today, we will learn about some of them and, as a bonus, we will briefly run through some "fashionable" trends in global ransomware.

Common patterns

  • Most Russian ransomware trojans, unlike their publicity seeking foreign colleagues (CryptoLocker, CryptoWall, TorrentLocker, TeslaCrypt), do not parade their names.
  • Trojan creators often use "simple" development tools, ready-made encryption utilities, sometimes even simple archiving utilities, which suggests that malware writers may not be very skilled. Naturally, this rule has some exceptions.

Trojan-Ransom.Win32.Rakhni

Also known as Trojan.Encoder.398 and Win32/Filecoder.NDE, its original name is unknown. This trojan first appeared in 2013 (which could be considered as the year of ransomware, as that was the year when their number skyrocketed). Since then, Rakhni has seen some major changes, but let's not delve into history but instead look closer at a modern sample discovered in September 2015.

This trojan is usually distributed unpacked. If we open the file in Hiew (Fig. 1), we immediately see the traditional frightening phrases, the attacker's email address and a list of extensions which will be used to search files. An experienced user will see that the file was written in Delphi (well, who said they don't use Delphi for coding any more?:) – Editor), you can check this by using PEiD, Detect It Easy or any other convenient tool. Using the lines at the end of the file, it is also easy to discover that DCPCrypt2 was used, so we can guess that the crypto-algorithm implementation was taken from there (later, this guess turned out to be correct).

Fig. 1. Rakhni sample as seen in Hiew

Fig. 1. Rakhni sample as seen in Hiew

Interactive Delphi Reconstructor is a convenient tool to analyse samples created using Delphi; you can study it right there or generate an idc-script for subsequent import into IDA. IDR recognizes most library functions correctly, so let's skip routine statistic analysis and jump to the most interesting part, to the results.

Search files for encryption

The trojan roams connected disks, searches for files using the extension list and saves their paths encrypted into the text file %TEMP%\allfiles.list. The paths are encrypted using the Blowfish algorithm in CFB-8 mode, SHA1 hash from the "lklaljga" line found in the body is used as the key, and the total number of found files is saved in the global variable.

Communication with the command server

After all the files with the required extensions are found, the trojan sends a request to C&C:

Here, install-id is a line generated based on the names of the user and the machine, and num-files is the number of encodable files.

In response, the server responds with a line with data in JSON format.

If C&C does not respond, the trojan does not stop operating, instead, it uses 1 of the 4 variants of such JSON config contained in its body.

File encryption

Rakhni reads the previously generated %TEMP%\allfiles.list file with the list of paths, decrypts each line and processes the respective file. Data from the JSON configuration is used to select one of 18 ciphers:

  • Blowfish
  • Cast128
  • Cast256
  • DES
  • GOST
  • ICE
  • IDEA
  • MARS
  • MISTY1
  • 3DES
  • RC4
  • RC5
  • RC6
  • Rijndael (basis of AES standard)
  • Serpent
  • TEA
  • Twofish
  • RC2

and one of 9 hashes:

  • SHA1
  • SHA256
  • SHA512
  • MD4
  • MD5
  • HAVAL
  • RIPEMD128
  • RIPEMD160
  • Tiger

Then a salt of preset length is generated, the password from the config is hashed with the salt, the result is used as a key for the selected cipher. Each time a new IV is generated (subsequently, just like the salt, it is saved in the beginning of the encrypted file). The content of each file is then encrypted in the selected mode (CBC, CFB-8, CFB, OFB or CTR).

WWW


Links if you want to find out more about cipher types and how they work, or if you just want to refresh your knowledge:

However, the modern Rakhni sample does not stop here. In order to make more mess, it also encrypts the file name – it uses Ct, Ht, KeyStr config fields as encryption parameters, hashes without salt, and uses CFB-8 cipher mode. It then encrypts the resultant byte array in base64, and sometimes replaces "/" symbols with a "{slash}" line. In the end, the encrypted file gets a name which resembles the following:

The trojan saves the attacker's demands in How_To_Decipher_Files.html files.

Other features

Like a lot of crypto-ransomware, Rakhni deletes shadow copies, but does it in an unusual way. It drops on the disk and launches a vbs-script, which, in turn, sends a request to the WMI system (Win32_ShadowCopy class) to delete the available previous file versions. Why is it done like that? Probably, because the author is trying to fool pro-active antivirus detection.

Trojan-Ransom.Win32.Cryakl

Other names: Ransom:Win32/Simlosap.A, Trojan.Encoder.567, Win32/Filecoder.CQ.

A year ago, Kaspersky Lab published an analysis of the version of this trojan that was available at that time. We will now look at the modern sample and see what has changed in the previous months.

Cryakl is usually distributed packed. I came across samples packed with Armadillo, but lately a self-written packer based on Visual Basic has been used more often. It isn't very sophisticated: it decrypts the payload in the form of the original PE, starts a copy of its process and inserts the target code in it.

The packer is removed trivially: we put the breakpoint on CreateProcess when it activates, we then search for an area with RW rights, about 400 KB big and usually located before the addresses, which are used to project systemic DLLs. Fig. 2 shows that this area contains something which resembles a PE file. We dump the area and extract an untouched original PE.


The packer is removed trivially: we put the breakpoint on CreateProcess when it activates, we then search for an area with RW rights, about 400 KB big and usually located before the addresses which are used to project systemic DLLs.
Fig. 2. Removing the VB packer

Fig. 2. Removing the VB packer

Let's look at the unpacked sample and use available tools to determine the compiler (Delphi 6.0-7.0 produced in 2001-2002!), and upload the file in IDR, IDA or other tool for statistical analysis. The lines FGIntPrimeGeneration, FGInt, FGIntRSA contained within the body suggest that the trojan uses third-party RSA implementation. The sources of FGInt library, which can be found using any search browser, help the analysis process significantly. By the way, RSA implementation in this library leads us to reflect on the world's fate, as work with large numbers in RSAEncrypt procedure is performed using a line representation in the binary system (i.e., instead of the number 0x123, the library will work with the line "100100011" = "\x31\x30\x30\x31\x30\x30\x30\x31\x31").

Key generation

After initiation, the trojan generates an infection ID in the format id = <random line>-<date and time>@<random number>, as well as several keys for different algorithms:

Please subscribe to read full article

1 year

for only $5

With subscription you are free to read all of the materials of Hackmag.com.
Read more about the project


Please subscribe to view comments

Only subscribers can participate in the discussions. You may login in to your account or sign up to Hackmag and pay a subscription to access the discussions.