Ransomware Code Cracked

Friday, February 5, 2016 @ 02:02 PM gHale

New ransomware that hit the scene at the beginning of the new year ended up broken by security researchers.

Researchers at Malwarebytes were able to identify the encryption key so victims will not have to pay the ransom.

Ransomware Targets Android Users
Exploiting a Flaw in Ransomware
OpenSSH Flaw could Leak Private Keys
Ransomware Locks Files, Tosses Key

This new ransomware, named DMA, first appeared in Poland, and its early versions wrote in Polish.

As the ransomware’s authors perfected their code, subsequent versions also added English ransom notes and spread to other countries.

Users can tell if they’ve been infected with the DMA ransomware strain by the presence of an intense red ransom note that asks them for 2 Bitcoin (around $800) to decrypt their files.

After analyzing a few DMA samples, the Malwarebytes security team found this was the work of a beginner. Despite advertising in their ransom note that they used an AES-256 key to encrypt files and then secured that key via an RSA-2048 cipher, researchers found DMA uses a custom crypto algorithm.

Also, the developer did not protect the ransomware against reverse engineering, allowing researchers access to its source code, including all code comments.
But DMA’s main issues aren’t with this or the encryption algorithm, but with the way the encryption key moves around between files.

Usual DMA infections occur by downloading and running a malicious file received via spam email. When the DMA ransomware installs itself via these files, it creates a file called facturax.exe, ends up deleted after the ransomware encrypts all files.

This file contains the encryption key, hard-coded in its binary, and to obtain it, users only have to re-download the malicious file they received via the spam email.

Users can take any hex editor application and analyze the factura.exe file and extract the encryption key used to lock their files. This encryption key is usually at the end of the file.

In most cases, ransomware only encrypts files, and if the user wants to decrypt them, they’ll have to pay the ransom, after which they’ll receive a separate application, called decrypter, which will unlock their files.

This is not the case with the DMA ransomware because its author thought it would be a good idea to embed the decrypter right inside the ransom note, creating dual-mode ransomware that can encrypt and decrypt files from the same source code. This encryption key would normally end up delivered to users via email after they paid the ransom.