Hole Found in Ransomware

Thursday, March 17, 2016 @ 04:03 PM gHale


There is a hole in one version of ransomware that can allow the good guys to decrypt the hijacked computer, researchers said.

That is because there was a flaw in the command and control (C&C) server used by Radamant ransomware.

RELATED STORIES
Ransomware in Mac Attack
Ransomware Targets Android Users
Exploiting a Flaw in Ransomware
Ransomware Locks Files, Tosses Key

Radamant is a ransomware kit that focuses on infecting English-speaking users since December 2015, according to InfoArmor researchers.

As of right now, there are at least two known versions of this malware, RDM v.1and RKK v.2, researchers said.

The ransomware encrypts all data repositories on the infected machines, including the HDD, USB-flash and the shared folder, and to use a unique AES-256 key for each file. Furthermore, the AES-256 key then ends up encrypted with an RSA-2048 master key embedded into the target file.

Similar to other ransomware, Radamant asks victims to pay a ransom using crypto-currency to receive a special tool containing a decryption key that can unlock and restore their files.

InfoArmor researchers found a method of attacking the attacker. They found the Radamant C&C server could potentially allow them to decrypt victims’ files without requiring user interaction.

This method relies on the Radamant C&C server seeing action to control all of the infected machines with a targeted vulnerability exploit to initialize the decryption process, researchers said.

With the malware operator not being aware of this flaw, the attack has been highly effective in helping thousands of infected victims, the researchers said.

The method involves registering the infected machine within the malware control center via a HTTP POST request. However, this request needs to contain public and private encryption keys, along with a unique identifier of the bot, which needs modification to bypass the filter and to avoid any additional vulnerability exploits.

Should all the right circumstances end up met, the user can retrieve the entire database, while the ransomware can be left to believe the infected computers paid the ransom. Thus, the malicious application initializes the decryption procedure and restores files to their original state, researchers said.

Once the new bot registered with the server, a specific HTTP request needs to end up created and executed to change the status of all infected machines that paid and unlocked their files. The script automatically searches for the specific bot ID in the database, while also updating the bots’ last visit time, and it is during the execution of this SQL query the customized bot identifier can be set to execute unintended commands to change the status of all machines to paid.

As soon as this query executes, every infected computer connected to the Radamant C&C server will automatically receive a private key that can end up used to decrypt files with specific extensions. The operation can end up performed on a large number of bots to activate the process of data decryption without the malware’s operator being aware of it.