by RSS Roland Dela Paz  |  Jul 29, 2015  |  Filed in: Security Research

Fortinet recently encountered a new Ransomware-as-a-Service (RaaS) advertisement called “Encryptor RaaS”. The service is advertised on an onion-based domain via Tor2Web service and Fortinet detects the associated ransomware as W32/Cryptolocker.ABD9!tr

Interestingly, the seller explicitly calls its website “Ransomware as a Service”, an AV industry language, where the advertised business model closely resembles the recently discovered “Tox” RaaS. The seller earns a 20% commission per infected user who opts to pay ransom. Additionally, all transactions are made via Bitcoin where affiliates or “customers” of this RaaS signs up via their Bitcoin address and victims need Bitcoin to recover their files. Below is a screenshot of the advertisement:

As can be seen above there are 3 configuration options for the ransomware tool:

  1. Price of ransom – the amount of money by which infected users need to pay in order to recover their encrypted files.
  2. Price of ransom after timeout – the new (usually higher) amount in case the infected user is unable to pay within the deadline specified.
  3. Timeout – the deadline configuration, in hours, for the payment of infected users otherwise the ransom will change to the amount specified in #2.

Once an affiliate has successfully signed up a Customer ID is then generated and embedded in the generated ransomware executable. This allows the seller to identify which victims are associated to which affiliate. Access to this ransomware’s decryptor requires this and the GUID of the affected machine:

Ransomware Routine
The actual executable code of the downloadable ransomware from the website contains references to GNU Compiler for Java (GCJ) library. GCJ can be used to compile Java source code to an executable, therefore suggesting that this malware was originally developed in Java programming language. 

The infection routine is pretty straightforward. Upon execution it proceeds with collecting the GUID of the system:

It then enumerates drives to look for files that it will encrypt:

Once done, it starts looking for specific file types to encrypt based on a predefined list in its body:

Below is a full list of the target file types:

3ds

eml

mbox

phtm

tga

cgi

jpm

ova

slf

xlsx

3g2

emlx

md2

phtml

thm

cpio

jpx

ovf

sme

xz

3gp

eps

mdb

pl

tif

cpp

jsp

oxps

smm

yuv

7z

epub

mdbackup

plist

tiff

crt

jspa

p2i

spb

zip

abw

fdf

mddata

pmd

toast

csr

jspx

p65

sql

zipx

accdb

ffu

mdf

pmx

torrent

cue

jst

p7

srt

xdw

ai

flv

mdinfo

png

tpl

dds

key

pages

ssc

xlr

aif

gam

mds

ppdf

ts

dem

keynote

pct

ssi

xls

arc

gcode

mid

pps

txt

dmg

kml

pdf

stg

 

as

gho

mov

ppsm

vbk

doc

kmz

pem

stl

 

asc

gif

mp3

ppsx

vcard

docm

lic

php

svg

 

asf

gpx

mp4

ppt

vcd

docx

lwp

php3

swf

 

ashdisc

gz

mpa

pptm

vcf

dsb

lzma

php4

sxw

 

asm

h

mpb

pptx

vdi

dwg

m3u

php5

syncdb

 

asp

h++

mpeg

ps

vfs4

dxf

m4a

phps

tar

 

aspx

hbk

mpg

psd

vhd

eddx

m4v

phpx

tc

 

asx

hdd

mpj

pspimage

vhdx

edoc

max

phpxx

tex

 

aup

hds

mpp

pst

vmdk

c++

j2k

nrg

rtf

 

avi

hpp

msg

pub

vob

cdi

jp2

nri

s

 

bbb

ics

mso

pvm

wav

cer

jpeg

ods

sbf

 

bdb

idml

nba

qcn

wbverify

cert

jpf

odt

set

 

bibtex

iff

nbf

qcow

webm

cfm

jpg

ogg

skb

 

bkf

img

nbi

qcow2

wmb

btd

iso

nco

rar

 

bmp

indd

nbu

qt

wpb

bz2

isz

nes

raw

 

bpn

ipd

nbz

ra

wps

c

iwa

note

rm

 

Additionally, it avoids encrypting files with filename “wallet.dat” which is a Bitcoin wallet file. Victims need this file in order to successfully pay the ransom paid in Bitcoin:

Below is the pseudocode of the encryption algorithm (variable declarations are removed to save space):
v2 = *(_DWORD *)(a1 + 4) + dword_433D60;
  v3 = *(_DWORD *)(a1 + 12) + dword_433D64;
  v4 = __ROL4__(v2 * (2 * v2 + 1), 5);
  v5 = __ROL4__(v3 * (2 * v3 + 1), 5);
  v6 = __ROL4__(v4 ^ *(_DWORD *)a1, v5);
  v7 = dword_433D68 + v6;
  v8 = __ROL4__(*(_DWORD *)(a1 + 8) ^ v5, v4);
  v9 = dword_433D6C + v8;
  v10 = __ROL4__(v7 * (2 * v7 + 1), 5);
  v11 = __ROL4__(v9 * (2 * v9 + 1), 5);
  v12 = __ROL4__(v11 ^ v2, v10);
  v13 = dword_433D70 + v12;
  v14 = __ROL4__(v10 ^ v3, v11);
  v15 = dword_433D74 + v14;
  v16 = __ROL4__(v13 * (2 * v13 + 1), 5);
  v17 = __ROL4__(v15 * (2 * v15 + 1), 5);
  v18 = __ROL4__(v17 ^ v9, v16);
  v19 = dword_433D78 + v18;
  v20 = __ROL4__(v16 ^ v7, v17);
  v21 = dword_433D7C + v20;
  v22 = __ROL4__(v19 * (2 * v19 + 1), 5);
  v23 = __ROL4__(v21 * (2 * v21 + 1), 5);
  v24 = __ROL4__(v23 ^ v15, v22);
  v25 = dword_433D80 + v24;
  v26 = __ROL4__(v22 ^ v13, v23);
  v27 = dword_433D84 + v26;
  v28 = __ROL4__(v25 * (2 * v25 + 1), 5);
  v29 = __ROL4__(v27 * (2 * v27 + 1), 5);
  v30 = __ROL4__(v29 ^ v21, v28);
  v31 = dword_433D88 + v30;
  v32 = __ROL4__(v28 ^ v19, v29);
  v33 = dword_433D8C + v32;
  v34 = v33;
  v35 = __ROL4__(v31 * (2 * v31 + 1), 5);
  v36 = __ROL4__(v33 * (2 * v33 + 1), 5);
  v37 = __ROL4__(v36 ^ v27, v35);
  v38 = dword_433D90 + v37;
  v39 = __ROL4__(v35 ^ v25, v36);
  v40 = dword_433D94 + v39;
  v41 = __ROL4__(v38 * (2 * v38 + 1), 5);
  v42 = __ROL4__(v40 * (2 * v40 + 1), 5);
  v43 = __ROL4__(v42 ^ v34, v41);
  v44 = dword_433D98 + v43;
  v45 = __ROL4__(v41 ^ v31, v42);
  v46 = dword_433D9C + v45;
  v47 = __ROL4__(v44 * (2 * v44 + 1), 5);
  v48 = __ROL4__(v46 * (2 * v46 + 1), 5);
  v49 = __ROL4__(v48 ^ v40, v47);
  v50 = dword_433DA0 + v49;
  v51 = __ROL4__(v47 ^ v38, v48);
  v52 = dword_433DA4 + v51;
  v53 = v52;
  v54 = __ROL4__(v50 * (2 * v50 + 1), 5);
  v55 = __ROL4__(v52 * (2 * v52 + 1), 5);
  v56 = __ROL4__(v55 ^ v46, v54);
  v57 = dword_433DA8 + v56;
  v58 = __ROL4__(v54 ^ v44, v55);
  v59 = dword_433DAC + v58;
  v60 = __ROL4__(v57 * (2 * v57 + 1), 5);
  v61 = __ROL4__(v59 * (2 * v59 + 1), 5);
  v62 = __ROL4__(v61 ^ v53, v60);
  v63 = dword_433DB0 + v62;
  v64 = __ROL4__(v60 ^ v50, v61);
  v65 = dword_433DB4 + v64;
  v66 = __ROL4__(v63 * (2 * v63 + 1), 5);
  v67 = __ROL4__(v65 * (2 * v65 + 1), 5);
  v68 = __ROL4__(v67 ^ v59, v66);
  v69 = dword_433DB8 + v68;
  v70 = __ROL4__(v66 ^ v57, v67);
  v71 = dword_433DBC + v70;
  v72 = v71;
  v73 = __ROL4__(v69 * (2 * v69 + 1), 5);
  v74 = __ROL4__(v71 * (2 * v71 + 1), 5);
  v75 = __ROL4__(v74 ^ v65, v73);
  v76 = dword_433DC0 + v75;
  v77 = __ROL4__(v73 ^ v63, v74);
  v78 = dword_433DC4 + v77;
  v79 = __ROL4__(v76 * (2 * v76 + 1), 5);
  v80 = __ROL4__(v78 * (2 * v78 + 1), 5);
  v81 = __ROL4__(v80 ^ v72, v79);
  v82 = dword_433DC8 + v81;
  v83 = __ROL4__(v79 ^ v69, v80);
  v84 = dword_433DCC + v83;
  v85 = __ROL4__(v82 * (2 * v82 + 1), 5);
  v86 = __ROL4__(v84 * (2 * v84 + 1), 5);
  v87 = __ROL4__(v86 ^ v78, v85);
  v88 = dword_433DD0 + v87;
  v89 = __ROL4__(v85 ^ v76, v86);
  v90 = dword_433DD4 + v89;
  v91 = v90;
  v92 = __ROL4__(v88 * (2 * v88 + 1), 5);
  v93 = __ROL4__(v90 * (2 * v90 + 1), 5);
  v94 = __ROL4__(v93 ^ v84, v92);
  v95 = dword_433DD8 + v94;
  v96 = __ROL4__(v92 ^ v82, v93);
  v97 = dword_433DDC + v96;
  v98 = __ROL4__(v95 * (2 * v95 + 1), 5);
  v99 = __ROL4__(v97 * (2 * v97 + 1), 5);
  v100 = __ROL4__(v99 ^ v91, v98);
  v101 = dword_433DE0 + v100;
  v102 = __ROL4__(v98 ^ v88, v99);
  v103 = dword_433DE4 + v102;
  v104 = __ROL4__(v101 * (2 * v101 + 1), 5);
  v105 = __ROL4__(v103 * (2 * v103 + 1), 5);
  v106 = __ROL4__(v105 ^ v97, v104);
  v107 = dword_433DE8 + v106;
  v108 = __ROL4__(v104 ^ v95, v105);
  v109 = v108 + dword_433DEC;
  v110 = __ROL4__((v108 + dword_433DEC) * (2 * (v108 + dword_433DEC) + 1), 5);
  v111 = __ROL4__(v107 * (2 * v107 + 1), 5);
  v112 = __ROL4__(v110 ^ v103, v111);
  v113 = __ROL4__(v111 ^ v101, v110);
  v114 = dword_433DF4 + v113;
  v115 = dword_433DF0 + v112;
  v116 = __ROL4__(v114 * (2 * v114 + 1), 5);
  v117 = __ROL4__(v115 * (2 * v115 + 1), 5);
  v118 = __ROL4__(v116 ^ v109, v117);
  v119 = dword_433DF8 + v118;
  v120 = __ROL4__(v117 ^ v107, v116);
  v121 = dword_433DFC + v120;
  v122 = __ROL4__(v119 * (2 * v119 + 1), 5);
  v123 = __ROL4__(v121 * (2 * v121 + 1), 5);
  v124 = __ROL4__(v123 ^ v114, v122);
  v125 = dword_433E00 + v124;
  v126 = __ROL4__(v122 ^ v115, v123);
  v127 = dword_433E04 + v126;
  *(_DWORD *)a2 = dword_433E08 + v121;
  *(_DWORD *)(a2 + 4) = v127;
  result = dword_433E0C + v119;
  *(_DWORD *)(a2 + 12) = v125;
  *(_DWORD *)(a2 + 8) = result;
  return result;

For each encrypted file, the malware appends an 8-byte infection marker. The malware checks this before encrypting a file:

Once all the target files have been encrypted on the victim’s machine, the malware opens the website hxxps://decryptoraveidf7.onion.to/vict?cust={customer ID}&guid={machine GUID} on the browser which displays the following:

The page contains complete instructions on how to pay the ransom and even provides a hyperlink pointing to howtobuybitcoins.info, perhaps to aid victims who are unfamiliar to Bitcoin in paying their ransom. A text file is also dropped on the current folder with a note. Interestingly, this note includes a German version of the text which suggests that German users may be a target of this ransomware:

Conclusion

The accessibility of malicious-tools-as-a-service continue to enable just about anyone to conduct cybercrime. While W32/Cryptolocker.ABD9!tr is far from sophisticated, it demonstrates how average developers can easily start a malware-as-a-service business by abusing online anonymity frameworks such as Tor2Web service and Bitcoin. It also illustrates how new trends in cybercrime business models are quickly adopted by other cybercriminals, thus exponentially increasing new malware variants.

On the bright side since this ransomware does not do anything on the system aside from encrypting files, file recovery software or shadow copy recovery software can help in restoring encrypted files. Nonetheless, it is always a good idea to regularly back up your files to prevent losing your files in case of a ransomware infection.

Fortinet will continue to monitor developments regarding this new ransomware.

-= FortiGuard Lion Team =-

by RSS Roland Dela Paz  |  Jul 29, 2015  |  Filed in: Security Research

comments powered by Disqus