Heres a ransomware story with a difference.
The sample we studied in this article is detected by Sophos products as Troj/Ransom-FXO, but youll also hear it called Vcrypt after the filename extension used by the malware.
Neither of those monikers is how it describes itself, of course it installs itself with the harmless-looking name video_driver.exe and claims to be just that, a video driver:
The bad news is that whoever wrote this malware decided to be doubly destructive: it scrambles the files on your C: drive using a secret decryption key, but it wipes out the files on all your other drives, looping through all the letters A: to Z: except C:, issuing commands to delete all the files and directories it can find.
The good news is that the programmer of Ransom-FXO didnt take much care over the encryption part, and used a hardcoded cryptographic key that can fairly easily be extracted from the malware file.
Actually, that bit of good news is just as well, because theres no way to buy back the unscrambling key.
Unusually, the criminal behind this attack didnt use Tor or the dark web to host the buy page where you find out how much its going to cost and where to send the bitcoins
they used a regular web page on a free hosting service that has now removed the offending content, so you couldnt negotiate for the password even if you wanted to.
Ransom-FXO is unusual because although the ransomware itself is written in C, it doesnt use its own C code to do the encryption.
If youre a Naked Security podcast listener (if you arent yet, please give it a try!), youll probably remember that a few episodes back we discussed a concept we wryly referred to as malwareless ransomware.
Click-and-drag on the soundwaves below to skip to any point in the podcast.
In the case we discussed in the podcast (jump to 1343 for the section on ransomware) the encryption was carried out by hand by crooks who were already able to logon to the victims network and run commands as if they were genuine sysadmins.
That attack saw the crooks using a free and open source full-disk encryption program called DiskCryptor, leaving you stuck at a password prompt you werent expecting and for which you didnt know the access code when you next rebooted your computer.
In the Ransom-FXO sample, the author used the free file archiving tool 7-Zip for the encryption, so that all the video_drive.exe ransomware program has to do is call the Windows system() function to run the 7-Zip program as a operating system command, just as if youd typed it in yourself at a Windows command prompt.
This makes the main part of the ransomware very simple, as you can see from this directory listing taken after the ransomware had installed itself in order to launch its attack:
The malware copies itself to your %TEMP% folder (which is where temporary files typically go), as you see above, and is 794KB in size.
However, 733KB of the video_driver.exe consists of a copy of the mod_01.exe file that the malware extracts into a program of its own at the start, so that it can call on it later.
The mod_01.exe file is simply a pirated copy of the 7-Zip archiving and compression program, which lets you package entire directory structures into individual archive files, optionally encrypting them using the AES algorithm.
Stripped of the copy of 7-Zip bundled into it, the video_driver.exe is incredibly simple.
Almost all it does is to start two threads of execution that run side-by-side, each running a sequence of system() commands over and over again via the built-in Windows cmd.exe program:
The first thread repeatedly does the following:
The author left out the C: drive from the list of drives to wipe because thats where the other thread looks for files to scramble.
You can see what seem to be two fortuitous mistakes above.
The B: drive (if there is one, which is admittedly unlikely these days) doesnt get wiped because the programmer checks for the existence of B: but then wipes the A: drive again in the second part of the line.
And the F: drive was omitted altogether were assuming that was a copy-and-paste blunder rather than that the criminal had in mind to spare that particular content.
The second thread repeatedly runs a sequence of commands that are stored inside the malware like this:
As weird as that text looks, its actually obfuscated using a good old Caesar cipher, where all the characters are shifted back three places just before the system() command gets called.
Using the ASCII character set as the decryption table for the text above, li moved back three letters gives if, the hash sign (#) turns into a space, and XVHU comes out as USER, and so on.
So, what actually executes is:
As mentioned above, the file %TEMP%mod_01.exe program name seen here refers to the pirated copy of the 7-Zip command brought along by the malware.
You can see the password in the command line above its the text immediately following the command option -p, namely:
There are actually twelve variations of the above command in the malware, each having a go at scrambling one of the folders in this list:
If any of these folders exist and have files in them, their contents end up in encrypted 7-Zip archives with the extension .vcrypt, like this:
In the listing above, you can also see two other files created by the malware: help.html (shown below), which gives you the bad news that your files have been scrambled, and new_background.bmp, which is an all-black rectangle that gloomily replaces your desktop wallpaper for dramatic effect.
The twelve file encrypting commands actually run over and over until you shut down or log out, so that any files you save into one of the above folders after the malware has started running will soon get noticed, added into to the relevant .vcrypt archive, and then deleted.
The malware adds itself to the Windows registry entry as follows:
This means that every time you logon to Windows, the file-deleting-and-encrypting threads start up again in the background.
Thanks to the wallpaper change and the help.html file, youre confronted with a dispriting, all-black Windows desktop with no file icons or shortcuts on it, like this:
Q: Quai til arriv mes fichiers ?A: Tous vos fichiers ont ts chiffrs et placs dans une zone de scurit.Q: Comment rcuprez mes documents !! ?A: Suivez les instructions disponibles via cette page web. Si la page ne souvre pas, veuillez vrifier votre connexion internet.
Q: What happened to my files?A: All your files were encrypted and stored in a secure area.Q: How do I get my documents back !! ?A: Follow the instructions [here]. If you cant open the page, check your internet connection.
As we mentioned above, the web page that is supposed to tell you what to do has been taken down, so checking your internet connection wont help you access it:
Erreur 404 Document non trouv
Error 404 Document not found
You can use an anti-virus program to remove the malware, or stop it running yourself as follows:
You can recover your files by hand by installing the 7-Zip utility and then opening up the .vcrypt files in your home folder one by one.
For example, heres what our deleted Desktop folder looked like, packaged up inside the archive created by the malware, showing the filenames, sizes, and a + sign to denote that the files themselves are encrypted:
(You can view the names of the files in this archive without putting in the password the malware didnt turn on the encrypt filenames option in 7-Zip, so only the file contents are encrypted.)
When you ask 7-Zip to extract the files, a password prompt will pop up.
For the malware sample described here, the password was:
Unfortunately, theres no quick way to get back files deleted from other drive letters than C:
but if youre in the habit of making regular and frequent backups, and of keeping at least one copy offline where it cant be deleted during an attack, you should be able to recover anyway.
Dont delay, do a backup today!
- IoT Security Solution For Encryption Market Growth By Manufacturers, Type And Application, Forecast To 2026 - 3rd Watch News - July 6th, 2020
- Endpoint Encryption Software Market Growth By Manufacturers, Type And Application, Forecast To 2026 - 3rd Watch News - July 6th, 2020
- Global Hardware-based Full Disk Encryption (FDE) Market Report 2020 by Key Players, Types, Applications, Countries, Market Size, Forecast to 2026... - July 6th, 2020
- Explained: WhatApp calls End-to-End Encrypted, but what does it mean for you? - India Today - July 6th, 2020
- The booming business of encrypted tech serving the criminal underworld - Telegraph.co.uk - July 6th, 2020
- Hardware Encryption Devices Consumption Market Growth By Manufacturers, Type And Application, Forecast To 2026 - 3rd Watch News - July 6th, 2020
- Network Encryption Market Growth By Manufacturers, Type And Application, Forecast To 2026 - 3rd Watch News - July 6th, 2020
- Encryption Software Market Worth $20.1 Billion by 2025 - Exclusive Report by MarketsandMarkets - Yahoo Finance - June 18th, 2020
- Zoom says free users will get end-to-end encryption after all - The Verge - June 18th, 2020
- Zoom To Offer End-To-End Encryption For Video Calls, Trials To Start In July - NDTV - June 18th, 2020
- Encryption Software Market 2020-2025: Types, Services, Cost Structure, Application, Statistics, Emerging Trends And Regional Analysis - Owned - June 18th, 2020
- Zoom to offer end-to-end encryption for all users, trial to begin in July - Reuters India - June 18th, 2020
- Cloud Encryption Market Will Generate Massive Revenue In Future- A Comprehensive Study On Key Players - Surfacing Magazine - June 18th, 2020
- Global Cloud Encryption Gateways Market Research with COVID-19 After Effects - Cole of Duty - June 18th, 2020
- Encryption Software Market 2020 By Trends, Demand, Business Opportunities, Development Factors, Applications, Overview with Competitive landscape... - June 14th, 2020
- IMPACT OF COVID-19 ON Encryption Key Management Software RESEARCH, GROWTH TRENDS AND COMPETITIVE ANALYSIS 2020-2026 - Cole of Duty - June 14th, 2020
- Move over Zoom, this encryption company just released the first fully end to end encrypted conferencing solution #105518 - New Kerala - June 14th, 2020
- Cloud Encryption Software Market to witness high growth in near future - GroundAlerts.com - June 14th, 2020
- Three secure ways to surf the internet - Gadgets Now - June 14th, 2020
- Will Zoom Bring Encryption to the People Who Need It Most? - EFF - June 13th, 2020
- Encryption Software Market Size Scope and Comprehensive Analysis by 2028 - 3rd Watch News - June 13th, 2020
- Federal-grade encryption from the comfort of home - GCN.com - June 13th, 2020
- Hardware-based Full Disk Encryption Market Growth Prospects, Revenue, Key Vendors, Growth Rate and Forecast To 2026 - Jewish Life News - June 13th, 2020
- Congress introduces EARN IT Act, which would end encryption programs but violates the Constitution - NationofChange - June 13th, 2020
- IBM kit wants to keep your data encrypted while in use - ITProPortal - June 13th, 2020
- Commercial Encryption Software Market Growth Prospects, Revenue, Key Vendors, Growth Rate and Forecast To 2026 - Jewish Life News - June 13th, 2020
- Nearly 500,000 say Congress shouldnt kill encryption with the EARN IT Act - The Daily Dot - June 13th, 2020
- COVID-19, Security and WFH: Myths and Misconceptions - Security Boulevard - June 13th, 2020
- Privacy News Online | Weekly Review: June 12th, 2020 - Privacy News Online - June 13th, 2020
- Global Optical encryption Market Insights and Forecast 2020 to 2025 - Jewish Life News - June 13th, 2020
- Hong Kong is number one in Asia for enterprise encryption, with customer personal information the top data protection priority, reports nCipher... - May 27th, 2020
- Are social giants morally obligated to break encryption? - ACS - May 27th, 2020
- Facebook plot to encrypt ALL chats will help child abusers to hide, former police chief warns - The Sun - May 27th, 2020
- Encryption Software Market To Expand At A Robust 14.27% Cagr Of 2020 | Sophos,McAfee,Check Point Software Technologies,Proofpoint,Trend Micro - 3rd... - May 27th, 2020
- Encryption Software Market Forecast Revised in a New Market Expertz Report as COVID-19 Projected to Hold a Massive Impact on Sales in 2020 | Long-term... - May 27th, 2020
- Global Homomorphic Encryption Market Analysis 2020-2025: by Key Players with Countries, Type, Application and Forecast Till 2025 - Cole of Duty - May 27th, 2020
- COVID-19 Impact ON AES Encryption Software Market: Size, Market Analysis, Application, Growth Drivers, Trends, status and Research Report by 2025 -... - May 27th, 2020
- Cloud Encryption Software Market 2020: Potential growth, attractive valuation make it is a long-term investment | Know the COVID19 Impact | Top... - May 27th, 2020
- Global Encryption Key Management Market 2020 Insights, Key Player's Competition, Trends, Sales, Revenue, Supply, Demand, Growth Analysis and Forecast... - May 27th, 2020
- Starting to look at email security. Looking for guidance - Encryption Methods and Programs - BleepingComputer - May 25th, 2020
- Global Cloud Encryption Technology Market Projected to Reach USD XX.XX billion by 2025- Gemalto, Sophos, Symantec, SkyHigh Networks, Netskope etc. -... - May 25th, 2020
- Impact of Covid-19 on Cloud Encryption Technology Market is Expected to Grow at an active CAGR by Forecast to 2025 | Top Players Gemalto, Sophos,... - May 25th, 2020
- Zoom will seek public feedback on plan for stronger encryption - The Indian Express - May 16th, 2020
- Encryption Software Market Research Report 2020 By Size, Share, Trends, Analysis and Forecast to 2026 - Cole of Duty - May 16th, 2020
- Almost half of organisations have been reported to the ICO for a potential data breach - ResponseSource - May 16th, 2020
- VPN Tunnels explained: what are they and how can they keep your internet data secure - TechRadar - May 16th, 2020
- The Week in Ransomware - May 15th 2020 - REvil targets Trump - BleepingComputer - May 16th, 2020
- WhatsApp Video Calls Will Soon Support 50: This Is Why 8s The Limit For Your Security - Forbes - May 16th, 2020
- How to Use Encryption for Defense in Depth in Native and Browser Apps - InfoQ.com - May 14th, 2020
- Analyzing Encrypted RDP Connections - Security Boulevard - May 14th, 2020
- Analysis on Impact of COVID-19-Global Cloud Encryption Software Market 2020-2024| Increasing Use of In-built Cloud Encryption Solutions to Boost... - May 14th, 2020
- Move over Zoom, this encryption company just released the first fully end to end encrypted conferencing solution - Yahoo Finance - May 14th, 2020
- GovCon Expert Chuck Brooks: Three Steps for Protecting Data in the Public and Private Sectors - GovConWire - May 14th, 2020
- What is the difference between Symmetric and Asymmetric Encryption? - TWCN Tech News - May 14th, 2020
- Encryption Key Management Software Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- IoT Security Solution For Encryption Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Mobile Encryption Technology Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Data Encryption Service Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Congress May Hand Bill Barr the Keys to Your Online Life - The New Republic - May 14th, 2020
- DataLocker Sentry K300 8GB Encrypted Thumb Drive Review - TweakTown - May 14th, 2020
- Hardware Encryption Technology Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Global Cloud Encryption Software Market SHARE, SIZE 2020| EMERGING RAPIDLY WITH LATEST TRENDS, GROWTH, REVENUE, DEMAND AND FORECAST TO 2026 -... - May 14th, 2020
- Mobile Encryption Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Hardware Based Encryption Market Growth by Top Companies, Trends by Types and Application, Forecast to 2026 - Cole of Duty - May 14th, 2020
- Email Encryption Software Market Incredible Possibilities, Growth With Industry Study, Detailed Analysis And Forecast To 2025 - Bulletin Line - May 14th, 2020
- Google Duo is coming to the web via Chrome; features Family mode, end-to-end encryption - Moneycontrol - May 14th, 2020
- Global trade impact of the Coronavirus Commercial Encryption Software Market Applications and Company's Active in the Industry Science Market Reports... - May 2nd, 2020
- Email Encryption Market Growth Opportunities, Challenges, Key Companies, Drivers and Forecast to 2026 Cole Reports - Cole of Duty - May 2nd, 2020
- U.S. Hardware Encryption Market (2019 to 2026) - by Algorithm & Standard, Architecture and Field-Programmable Gate Array, Product, Application,... - May 2nd, 2020
- Innovative Encryption Algorithm Developed in South Korea - BusinessKorea - May 2nd, 2020
- Online course trains students in the bizarre world of quantum computing - Livescience.com - May 2nd, 2020
- Encryption Software Market Growth Opportunities, Challenges, Key Companies, Drivers and Forecast to 2026 Cole Reports - Cole of Duty - May 2nd, 2020
- COVID19 impact: Global Cloud Encryption Software Market Trends (Constraints, Drivers, Opportunities, Threats, Challenges, recommendations and... - May 2nd, 2020
- Review of the iStorage datAshur Pro2, an encrypted thumbdrive for home and work - Neowin - May 2nd, 2020
- Kanguru expands encrypted flash drive range with new 256GB options - Geeky Gadgets - May 2nd, 2020
- Global Encryption Management Solutions Market Size |Incredible Possibilities and Growth Analysis and Forecast To 2026 | Check Point Software... - May 2nd, 2020
- The COVIDSafe app was just one contact tracing option. These alternatives guarantee more privacy - The Conversation AU - May 2nd, 2020
- Data Encryption Service Market Detailed Analysis of Current Industry Figures With Forecasts Growth by 2026| Microsoft, IBM, OneNeck - News Log Book - May 2nd, 2020
- ACLU, EFF still trying to get documents unsealed in Facebook encryption case - CyberScoop - April 29th, 2020
- Advanced Encryption Standard (AES): What It Is and How It Works - Security Boulevard - April 29th, 2020