Decrypter Released for New Ransomware
Tuesday, August 30, 2016 @ 09:08 AM gHale
A decrypter released for a newly spotted ransomware family called Alma Locker.
Alma Locker is more advanced than all the other recent ransomware variants released in the past month.
The ransomware ended up discovered by Proofpoint researcher Darien Huss, and first analyzed by Lawrence Abrams.
Alma Locker has already moved to a mass distribution stage using the RIG exploit kit.
Researchers remain unclear as to how the attackers are sending hijacked traffic to the RIG exploit kit landing page. This can be from hacked websites, or from malvertising on legitimate sites.
Alma Locker’s features include a strong encryption system.
As it turns out, malware analysts from PhishLabs discovered a series of weaknesses in the ransomware’s mode of operation, which allowed them to create a file that can allow victims to recover their files without paying the ransom.
The ransomware uses a two-phased approach to locking user files. After Alma Locker starts encrypting files, it communicates with its C&C server, to which it sends AES key in cleartext via HTTP.
AES is a symmetric encryption algorithm, meaning AES key can end up used encryption and decryption. Unless the user stores network activity logs, the decryption key is unobtainable after the encryption process ends.
After the encryption stage ends, the ransomware shows the user a ransom note, with links to a Tor-based website, where the victim can then download a decrypter supplied by the attackers.
Unlike other ransomware variants that provide details in the ransom note, Alma Locker only features links to the decrypter and the Tor Browser.
After the user downloads and starts the Alma Locker decrypter, the user receives more information, such as the Bitcoin address to pay the ransom, which is 1 Bitcoin ($585).
PhishLabs researchers said they identified weaknesses in this decrypter, which is susceptible to a basic Man-in-the-Middle technique. This allowed them to spoof communications from the crooks’ C&C server and gain insight into how their decrypter operates.
This discovery ended up used to craft a file, which allows users to unlock files for free, if the user finds the encryption/decryption key stored in network logs. Click here for a PhishLabs decrypter download.
“The author’s failure to implement any sort of protection or obfuscation into their payload and decrypter alongside the limited network support infrastructure indicate a threat actor new to malware scripting,” said PhishLabs researchers in a post. “Shortly after the payload’s distribution into the wild, the command and control server began responding with a 500 internal server error, leaving victims unable to decrypt their files. The infrastructure surrounding this campaign was not very robust and ultimately resulted in the downfall of Alma Ransomware’s first run. Despite the amateurish nature of Alma Ransomware, this author is not likely to cease production and we should expect to see more from them in the near future.”