Sophos Cloud Optix
Here’s a ransomware story with a difference.
The sample we studied in this article is detected by Sophos products as Troj/Ransom-FXO, but you’ll also hear it called Vcrypt after the filename extension used by the malware.
Neither of those monikers is how it describes itself, of course – it installs itself with the harmless-looking name video_driver.exe and claims to be just that, a video driver:
The bad news is that whoever wrote this malware decided to be doubly destructive: it scrambles the files on your C: drive using a secret decryption key, but it wipes out the files on all your other drives, looping through all the letters A: to Z: except C:, issuing commands to delete all the files and directories it can find.
The good news is that the programmer of Ransom-FXO didn’t take much care over the encryption part, and used a hardcoded cryptographic key that can fairly easily be extracted from the malware file.
Actually, that bit of good news is just as well, because there’s no way to buy back the unscrambling key.
Unusually, the criminal behind this attack didn’t use Tor or the dark web to host the “buy page” where you find out how much it’s going to cost and where to send the bitcoins…
…they used a regular web page on a free hosting service that has now removed the offending content, so you couldn’t negotiate for the password even if you wanted to.
Ransom-FXO is unusual because although the ransomware itself is written in C, it doesn’t use its own C code to do the encryption.
If you’re a Naked Security podcast listener (if you aren’t yet, please give it a try!), you’ll probably remember that a few episodes back we discussed a concept we wryly referred to as “malwareless ransomware“.
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast.
In the case we discussed in the podcast (jump to 13’43” for the section on ransomware) the encryption was carried out by hand by crooks who were already able to logon to the victim’s network and run commands as if they were genuine sysadmins.
That attack saw the crooks using a free and open source full-disk encryption program called DiskCryptor, leaving you stuck at a password prompt you weren’t expecting – and for which you didn’t know the access code – when you next rebooted your computer.
In the Ransom-FXO sample, the author used the free file archiving tool 7-Zip for the encryption, so that all the video_drive.exe ransomware program has to do is call the Windows system() function to run the 7-Zip program as a operating system command, just as if you’d typed it in yourself at a Windows command prompt.
This makes the main part of the ransomware very simple, as you can see from this directory listing taken after the ransomware had installed itself in order to launch its attack:
The malware copies itself to your %TEMP% folder (which is where temporary files typically go), as you see above, and is 794KB in size.
However, 733KB of the video_driver.exe consists of a copy of the mod_01.exe file that the malware extracts into a program of its own at the start, so that it can call on it later.
The mod_01.exe file is simply a pirated copy of the 7-Zip archiving and compression program, which lets you package entire directory structures into individual archive files, optionally encrypting them using the AES algorithm.
How it works
Stripped of the copy of 7-Zip bundled into it, the video_driver.exe is incredibly simple.
Almost all it does is to start two threads of execution that run side-by-side, each running a sequence of system() commands over and over again via the built-in Windows cmd.exe program:
The first thread repeatedly does the following:
The author left out the C: drive from the list of drives to wipe because that’s where the other thread looks for files to scramble.
You can see what seem to be two fortuitous mistakes above.
The B: drive (if there is one, which is admittedly unlikely these days) doesn’t get wiped because the programmer checks for the existence of B: but then wipes the A: drive again in the second part of the line.
And the F: drive was omitted altogether – we’re assuming that was a copy-and-paste blunder rather than that the criminal had in mind to spare that particular content.
The second thread repeatedly runs a sequence of commands that are stored inside the malware like this:
As weird as that text looks, it’s actually obfuscated using a good old Caesar cipher, where all the characters are shifted back three places just before the system() command gets called.
Using the ASCII character set as the decryption table for the text above, li moved back three letters gives if, the hash sign (#) turns into a space, and XVHU comes out as USER, and so on.
So, what actually executes is:
As mentioned above, the file %TEMP%\mod_01.exe program name seen here refers to the pirated copy of the 7-Zip command brought along by the malware.
You can see the password in the command line above – it’s the text immediately following the command option -p, namely:
Oezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS
There are actually twelve variations of the above command in the malware, each having a go at scrambling one of the folders in this list:
%USERPROFILE%\Desktop\ %USERPROFILE%\Downloads\ %USERPROFILE%\Pictures\ %USERPROFILE%\Music\ %USERPROFILE%\Videos\ %USERPROFILE%\Documents\ %PUBLIC%\Desktop\ %PUBLIC%\Downloads\ %PUBLIC%\Pictures\ %PUBLIC%\Music\ %PUBLIC%\Videos\ %PUBLIC%\Documents\
If any of these folders exist and have files in them, their contents end up in encrypted 7-Zip archives with the extension .vcrypt, like this:
In the listing above, you can also see two other files created by the malware: help.html (shown below), which gives you the bad news that your files have been scrambled, and new_background.bmp, which is an all-black rectangle that gloomily replaces your desktop wallpaper for dramatic effect.
The twelve file encrypting commands actually run over and over until you shut down or log out, so that any files you save into one of the above folders after the malware has started running will soon get noticed, added into to the relevant .vcrypt archive, and then deleted.
What you see
The malware adds itself to the Windows registry entry as follows:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
video_driver = "%TEMP%\video_driver.exe"
This means that every time you logon to Windows, the file-deleting-and-encrypting threads start up again in the background.
Thanks to the wallpaper change and the help.html file, you’re confronted with a dispriting, all-black Windows desktop with no file icons or shortcuts on it, like this:
Oooopppssss…
Q: Qu’ai t’il arrivé à mes fichiers ?
A: Tous vos fichiers ont étés chiffrés et placés dans une zone de sécurité.
Q: Comment récupérez mes documents !! ?
A: Suivez les instructions disponibles via cette page web. Si la page ne s’ouvre pas, veuillez vérifier votre connexion internet.——
Oooopppssss…
Q: What happened to my files?
A: All your files were encrypted and stored in a secure area.
Q: How do I get my documents back !! ?
A: Follow the instructions [here]. If you can’t open the page, check your internet connection.
As we mentioned above, the web page that is supposed to tell you what to do has been taken down, so checking your internet connection won’t help you access it:
Erreur 404 – Document non trouvé
—–
Error 404 – Document not found
What to do?
You can use an anti-virus program to remove the malware, or stop it running yourself as follows:
- Delete the file
C:\USERS\[yourname]\AppData\Local\Temp\video_driver.exe - Reboot or log off and come back in.
You can recover your files by hand by installing the 7-Zip utility and then opening up the .vcrypt files in your home folder one by one.
For example, here’s what our deleted Desktop folder looked like, packaged up inside the archive created by the malware, showing the filenames, sizes, and a + sign to denote that the files themselves are encrypted:
(You can view the names of the files in this archive without putting in the password – the malware didn’t turn on the “encrypt filenames” option in 7-Zip, so only the file contents are encrypted.)
When you ask 7-Zip to extract the files, a password prompt will pop up.
For the malware sample described here, the password was:
Oezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS
Unfortunately, there’s no quick way to get back files deleted from other drive letters than C:…
…but if you’re in the habit of making regular and frequent backups, and of keeping at least one copy offline where it can’t be deleted during an attack, you should be able to recover anyway.
Don’t delay, do a backup today!
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Excellent write-up, though this one seems trivial for you to break down. Must be nice to get an “easy” one every now and then. And good callback on the Wilco MP3 in your VM – haven’t heard them in quite some time.
Thanks!
That MP3 is in my collection from a really funky article we got to write up a few years ago. (We even concocted a video with a “SPHS NKDS CRTY” tranmisson from our very own fake numbers station).
There was a weird bunch of videos known collectively as “Webdriver Torso” posted to YouTube that kicked off all sorts of conspiracy theories, Watch and listen here…
https://nakedsecurity.sophos.com/2014/05/05/weird-and-wonderful-the-webdriver-torso-mystery-videos-explained-and-remystified/
Do you think programmer of Ransom-FXO has nothing to do during this COVID-19 crisis and want to test programming skill on ransomware? By the way, if the wiping out files on all other drives is by DOS functional calls, I think some freeware undelete will recover most files.
Would be nice if the free hosting service replaced the page with one containing instructions on how to decrypt everything. Or just redirect to this article.
7-Zip is a free, open-source program. Not sure how you could pirate it? Even if you took the source and modified it to do something nasty, that’s still permissible under the terms of the LGPL. (Though that may mean the source code and license information should be available too…)
I’ve used the word “piracy” before to describe taking other people’s programs for use in malware, whether those programs were open source or not.
FWIW, 7-Zip is actually under a mix of licences, and you are right that the letter of these licences has not been followed. But I’m not using the word “piracy” in a legal sense. The spirit of the licences in particular, and of open source in general, certainly hasn’t been followed, and that’s a rip-off in my book.
So I’m happy with the word “piracy” – I chose it to stand out, and it obviously has!
Nice article. But “You can view the files without putting in the password, because 7-Zip doesn’t encrypt the file names, only their contents.”
this is not correct. 7-Zip actually can encrypt file names. The malware didn’t choose to do so either by choice or by mistake.
Yes, you’re right. Adding the command line option
-mhe=onactivates Method for Header Encryption (I think that’s what the letters stand for). I’ll rewrite the text so it is obvious that the unencrypted filenames aren’t something 7-Zip forces you to have but simply the default option. As you say, the author either chose to do this or didn’t know/care.