Ransomware with a happy ending

Filed Under: Cryptography, Featured, Ransomware

Ransomware is certainly a hot topic these days.

That's the sort of malware that locks up your computer, or scrambles your data, and demands a fee to get things back the way they were.

The fee is usually about $300, which is about the same sort of money that fake support call scammers ask for.

Of course, the fake call crooks deliberately lie to you, pretending that you have a virus and then pretending to make it go away.

With ransomware, there's no pretending: the crooks deliberately infect you and then take money off you in return for cleaning up after themselves.

"Computer locking" ransomware

The best known "computer locking" malware is probably Reveton, which pops up the logo of your local police service, accuses you of a crime (e.g. copyright infringement), and imposes a "fine."


Until you pay up, only the browser window containing the payment instructions is visible, glued on top of everything else, stopping you from using other applications and thus keeping you out of your data.

But there's a problem here for the crooks, namely that more and more people now know that this sort of "lock" can be bypassed without paying up.

A clean boot from a rescue CD or USB key, using a tool like Sophos Bootable Anti-Virus, will usually do the trick.

The malware relies on being active to keep you out.

Encryption-based ransomware

Encryption-based ransomware like CryptoLocker is much more troublesome, because it leaves your computer unlocked but takes your data hostage by scrambling it with an encryption key known only to the crooks.

If you remove the malware, you don't get your data back - for that, you need to buy the decryption key off the crooks via some sort of anonymous online payment.

Usually, they ask either for Bitcoins, which are like cash payments once you've transferred them, or for a pre-paid credit card, which they can cash out as if they were their own once you have sent them the card details.

No-one knows quite how much the CryptoLocker crew made before the servers used by the malware were shut down by law enforcement.

But estimates from the UK suggest that about 3% of computer-using Britons were hit by the malware, and 40% of those chose to pay rather than lose their data.

If we take that as $300 per household from 40% of 3% of 10,000,000 UK households with computers, that's $36,000,000 in turnover from the UK alone!

So it's hardly surprising that others are trying their hand at encryption-based ransomware.

But they don't always succeed, as in this case reported to us by SophosLabs.

→ We weren't quite willing to smile (it's not funny, if the truth be told), but we were relieved to see the ineptitude of the crook involved here.

Ransomware in PowerShell

This ransomware is written in PowerShell, Microsoft's answer to scripting tools such as Perl, AWK and Bash that Linux/UNIX administrators take for granted.

PowerShell scripts can take easily advantage of any library functions already available in Windows, without any of the complexity and verbosity often seen in traditional languages such as C and C++.

That includes direct, straightforward access to the Microsoft CryptoAPI for strong cryptography.

Indeed, the whole malware sample (Sophos blocks it as Troj/Ransom-AII) is just 77 lines long.

It's supposed to (or, perhaps better put, it's reasonable to assume the author would have liked it to) do the following:

  • Generate a random AES key.
  • Use this key to scramble the first 42KB of a large list of files on all visible drives, with the AES-CBC cipher plus a randomly created initialisation vector for each file. (That means even two identical files will encrypt differently.)
  • Encrypt the AES key with an RSA public key carried along with the malware.
  • Call home with the RSA-encrypted AES key and a numeric code to identify the victim.
  • Leave behind a file called HOWTODECRYPT.html in every affected directory.

The instructions in the HOWTODECRYPT file tell you to visit a website using the Tor anonymising proxy:


On the extortion site itself, the malware author tries to squeeze you for one Bitcoin (BTC).


That's close to $600 at the current price [2014-06-17] of BTCs, making the author twice as greedy as the CryptoLocker gang were.


The good news is that this malware isn't twice as treacherous as CryptoLocker.

It isn't half, or even a quarter, as tricky.

In fact, if you were to get hit you could unscramble your files yourself, because the author botched up the cryptography completely.

At least, you could unscramble your files if the malware had worked at all in the first place.

But it wouldn't work: the sample we saw was broken, though whether due to the incompetence of the malware author, or due to a bug in some server-side software programmed to generate a customised sample for each potential victim, we shall never know.

A programming blunder made the malware useless.

Fortunately, not every cybercrook in the world is a good coder - let's hope it stays that way.

, , , , , , ,

You might like

11 Responses to Ransomware with a happy ending

  1. Wouldn't it be possible to use offensive techniques such as memory scraping to recover the generated AES key in memory (given you have a tool scraping your memory while getting infected)? It would reduce the problem of file recovery to catching the IV.

    • if you have a memory scrapping application running, that then doesn't save the data in a file format that the malware would encrypt and you know where to look in memory... then maybe yes

  2. Visitor · 443 days ago

    "crpytography", "PowerShall"?

  3. ridzea · 443 days ago

    "This ransomware is written in PowerShell, Microsoft's answer to scripting tools such as Perl, AWK and Bash..."

    It's not so much an answer as a whole new question: "Instead of endless string parsing, why not interact directly with COM, .NET, and SOAP/XML objects and their members?"

    • Paul Ducklin · 443 days ago

      You have to half-think that Microsoft asked itself, "What could possibly go wrong," because PowerShell scripts are off by default :-)

      • ridzea · 443 days ago

        It's very interesting to see how their automation framework is being used to both good and bad ends, for sure. That the execution policy is defaulted to "restricted" I think is probably to keep curious but idle users from damaging their system. I've seen that attackers generally bypass the execution policy restriction via simple: "powershell.exe -command -executionpolicy bypass. This was a very good move on MS' part.

  4. BR Baker · 443 days ago

    The ransom payments have to go somewhere, why is that not traceable?

    • Paul Ducklin · 443 days ago

      Typically, the payments use Bitcoin transfers, which (done correctly) are as good as anonymous, so there isn't anything to trace.

  5. J Tucker · 442 days ago

    Got hit by this two days ago. Message popped up in Google Chrome stating that I was linked to an FBI site and that I had violated the law by downloading porn and my files were now encrypted. $300 paid at a machine in Walgreen's or Riteaid and I would be able to un-encrypt my files and get my browser unlocked. Needless to say, I didn't pay the $300. I did a restart in safe mode and then did a restore, which got rid of the message. No files were ever encrypted.

  6. Dan · 442 days ago

    A few months ago while looking for mp3's on a dodgy Russian site (like you do!) I encountered a page that tried to make it look like I'd been infected by cryptolocker. It said I had 8 hours in which to pay $300, but it was only a message in a webpage and I closed the page, then even went back to it for a second look. I didn't think I'd been infected (I hadn't) but I checked over my system just in case.
    Either a browser addon blocked anything nasty, or more likely there was nothing and they were hoping the short amount of time to pay (8 hours, when cryptolocker gives you more time) would be enough to panic people into paying.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog