Ransomware with a happy ending

Ransomware is certainly a hot topic these days.

That’s the sort of malware that locks up your computer, or scrambles your data, and demands a fee to get things back the way they were.

The fee is usually about $300, which is about the same sort of money that fake support call scammers ask for.

Of course, the fake call crooks deliberately lie to you, pretending that you have a virus and then pretending to make it go away.

With ransomware, there’s no pretending: the crooks deliberately infect you and then take money off you in return for cleaning up after themselves.

“Computer locking” ransomware

The best known “computer locking” malware is probably Reveton, which pops up the logo of your local police service, accuses you of a crime (e.g. copyright infringement), and imposes a “fine.”


Until you pay up, only the browser window containing the payment instructions is visible, glued on top of everything else, stopping you from using other applications and thus keeping you out of your data.

But there’s a problem here for the crooks, namely that more and more people now know that this sort of “lock” can be bypassed without paying up.

A clean boot from a rescue CD or USB key, using a tool like Sophos Bootable Anti-Virus, will usually do the trick.

The malware relies on being active to keep you out.

Encryption-based ransomware

Encryption-based ransomware like CryptoLocker is much more troublesome, because it leaves your computer unlocked but takes your data hostage by scrambling it with an encryption key known only to the crooks.

If you remove the malware, you don’t get your data back – for that, you need to buy the decryption key off the crooks via some sort of anonymous online payment.

Usually, they ask either for Bitcoins, which are like cash payments once you’ve transferred them, or for a pre-paid credit card, which they can cash out as if they were their own once you have sent them the card details.

No-one knows quite how much the CryptoLocker crew made before the servers used by the malware were shut down by law enforcement.

But estimates from the UK suggest that about 3% of computer-using Britons were hit by the malware, and 40% of those chose to pay rather than lose their data.

If we take that as $300 per household from 40% of 3% of 10,000,000 UK households with computers, that’s $36,000,000 in turnover from the UK alone!

So it’s hardly surprising that others are trying their hand at encryption-based ransomware.

But they don’t always succeed, as in this case reported to us by SophosLabs.

→ We weren’t quite willing to smile (it’s not funny, if the truth be told), but we were relieved to see the ineptitude of the crook involved here.

Ransomware in PowerShell

This ransomware is written in PowerShell, Microsoft’s answer to scripting tools such as Perl, AWK and Bash that Linux/UNIX administrators take for granted.

PowerShell scripts can take easily advantage of any library functions already available in Windows, without any of the complexity and verbosity often seen in traditional languages such as C and C++.

That includes direct, straightforward access to the Microsoft CryptoAPI for strong cryptography.

Indeed, the whole malware sample (Sophos blocks it as Troj/Ransom-AII) is just 77 lines long.

It’s supposed to (or, perhaps better put, it’s reasonable to assume the author would have liked it to) do the following:

  • Generate a random AES key.
  • Use this key to scramble the first 42KB of a large list of files on all visible drives, with the AES-CBC cipher plus a randomly created initialisation vector for each file. (That means even two identical files will encrypt differently.)
  • Encrypt the AES key with an RSA public key carried along with the malware.
  • Call home with the RSA-encrypted AES key and a numeric code to identify the victim.
  • Leave behind a file called HOWTODECRYPT.html in every affected directory.

The instructions in the HOWTODECRYPT file tell you to visit a website using the Tor anonymising proxy:


On the extortion site itself, the malware author tries to squeeze you for one Bitcoin (BTC).


That’s close to $600 at the current price [2014-06-17] of BTCs, making the author twice as greedy as the CryptoLocker gang were.


The good news is that this malware isn’t twice as treacherous as CryptoLocker.

It isn’t half, or even a quarter, as tricky.

In fact, if you were to get hit you could unscramble your files yourself, because the author botched up the cryptography completely.

At least, you could unscramble your files if the malware had worked at all in the first place.

But it wouldn’t work: the sample we saw was broken, though whether due to the incompetence of the malware author, or due to a bug in some server-side software programmed to generate a customised sample for each potential victim, we shall never know.

A programming blunder made the malware useless.

Fortunately, not every cybercrook in the world is a good coder – let’s hope it stays that way.