by RSS Rommel Joven  |  Mar 02, 2017  |  Filed in: Security Research

Dot ransomware is a new Ransomware-as-a-service (RaaS) that is openly available in hacking forums. And following the current trend in malware services, it uses web portals hosted in the TOR network for anonymity.

Commission-based Profit

While lurking in hacking forums, we came across a post for this new ransomware service. RaaS services are now switching from a one-time fee or subscription payment model to a commission based strategy. One advantage of this scheme is that the up front price for the ransomware is free, and any profits realized are just split 50/50 between the author and affiliate. This is an easy, no pressure gateway for aspiring affiliates since nothing is invested in obtaining the ransomware.

Figure 01 Dot Ransomware

Figure 01 Dot Ransomware

Visiting a Tor links directs potential affilaites to the Dot ransomware homepage. The site itself is relatively new. The ad shown in Figure 01, above, was posted on Feb 21 of this year, but the project was only launched a few days earlier, on Feb 19 (Figure 02.) Recent updates to the site show that this RaaS variant has continued to receive support and refinements from the author in order to improve the product.

Figure 02 Dot Ransomware Homepage

To start, an affiliate needs to register using a Bitcoin Address.

Figure 03 Login Page

Figure 03 Login Page

Once logged in, the malware builder can be downloaded, along with the core component, which is basically the payload itself with a default configuration.

Figure 04 Download Builder and Core

Figure 04 Download Builder and Core

In order for affiliates to track the number and status of infections, a statistics page is made available. During our testing we found that the statistics only counts an infection as successful if the victim visits the decryption page. This has the advantages of eliminating automated infections and providing a more realistic return from real victims.

Figure 05 Statistics Page

Figure 05 Statistics Page

Straight-forward Builder

The builder comes with a setup guide, although its usage is fairly straight-forward even without it.

Figure 06 Content of Builder Zip file

Figure 06 Content of Builder Zip file

To guide complete newbies in the intricacies of RaaS, the setup guide includes recommendations on prices for particular countries and includes also a list of 380 suggested file target extensions.(Complete list of extensions is in the end of the article)

Country Code|Price(Bitcoin)

FR|0.15|FI|0.15|IE|0.15|IS|0.15|AU|0.15|BE|0.15|CA|0.15|AT|0.15|DK|0.15|SE|0.15|DE|0.15|NL|0.15|SA|0.2|US|0.2|HK|0.2|LU|0.2|CH|0.2|NO|0.2|AE|0.2|SG|0.2|KW|0.2|MO|0.2|QA|0.2

As previously mentioned, configuring the payload is pretty straight-forward. The following features can be set in the builder.

Figure 07 Ransomware Builder

Figure 07 Ransomware Builder

After setting up the necessary configurations and a generating a successful build, the DotRansomwareBuilder generates a Tracking ID that is unique for every build.

Figure 08 Build Ransomware

Figure 08 Build Ransomware

Configuration

The configuration is then encrypted and written in the overlay of the payload binary, as seen below.

Figure 09 Encrypted-Decrypted Configurations

Figure 09 Encrypted-Decrypted Configurations

The decrypted configurations include the following data:

Configuration

Description

appID(Tracking ID)

{4 alphanumeric chars} - Unique for every build

bitcoinAddress

Bitcoin address of affiliate

defaultPrice

{1} – default price if not specified by the affiliate

partEncryption

{True/false} – encrypts only first 4MB of file

extensions

Target file extensions specified by affiliate

countries

Countries with special decryption prices

prices

Decryption price for specific countries set by the affiliate

Author Comes First

After decryption of the configuration, it continues to decrypt the URL for the decryption and payment page unlock26ozqwoyfv. This URL is hard-coded by the author and cannot be configured by the user. To make sure that the URL has not been tampered with, it computes the SHA256 hash of the URL and compares it to a hard coded value. This is to ensure that the payments go through the author first. Only then will the user get paid, or at least hope to be paid.

Figure 10 Hardcoded SHA256 value

Figure 10 Hardcoded SHA256 value

It does the same for the embedded RSA-4096 public key in the file. It computes the SHA256 hash and compares it to a hardcoded SHA256 value. This ensures that the private key on the C&C side will be able to decrypt the “Signature” that was encrypted by the hard-coded public key.

Figure 11 Decrypted RSA-4096 Key

Figure 11 Decrypted RSA-4096 Key

Figure 12 Hard-coded SHA256 hash value

Figure 12 Hard-coded SHA256 hash value

If the computed SHA256 hash is not equal to the hard-coded value, dot ransomware will terminate.

Signature

Since there is no network traffic during run time to notify the C&C, the Signature is important to differentiate between victims. The link to the decryption page of the ransomware is appended by the signature and is unique for every victim.

Figure 13 URL for Unlock26 website

Figure 13 URL for Unlock26 website

The unique Signature of the victim consists of the following data:

Signature

Description

key{38 bytes }

Randomly generated and used as key for encryption

iv{8 bytes}

Randomly generated and used as Initialization Vector(iv)

bitcoinAddress

Bitcoin address of affiliate

appID(TrackingID)

Unique for every build

country

Country of infected victim

price

Price set by the affiliate to decrypt files

partEncryption

True/false – encrypt only first 4MB of file

uniqueExtension

{3 char}

Randomly generated value appended to the encrypted filename

 i.e. .locked-{uniqueExtension}

After accumulating all the needed data for the Signature it is encrypted by the embedded RSA-4096 public key. Some characters from the encrypted Signature are replaced from “+ to @”, “/ to –“ and  “= to !” as added encoding.  The final output will serve as the unique Signature.

Offline Encryption using Blowfish

Offline encryption is gaining popularity since it causes minimal network traffic noise, thus,making it less suspicious.

The encryption used by Dot ransomware is Blowfish, a symmetric-key block cipher, and uses a randomly generated 38 bytes-length key alongside the 8 bytes initialization vector. An initialization vector (iv) prevents repetition in data encryption, making it more difficult to find a pattern in the encrypted file. Although the actual encryption for the file is a symmetric algorithm, the encryption key is encrypted using RSA-4096, which means that to be able to decrypt the files the private key is needed.   

Infected files are appended by .locked-{3 random char}.

Figure 14 Encrypted files

Figure 14 Encrypted files

After encryption, the ransomware opens the ReadMe HTML file , which shows the sites the victim needs to visit to get instructions for unlocking the files.

Taking a look at the unlock page, it is pretty straight-forward as only has one instruction, which is to pay.  However, there’s not much information on what happens after paying. Usually, a decryptor application is given to the victim.

Figure 15 Unlock page

Figure 15 Unlock page

Conclusion

The simplistic and straight-forward design of Dot ransomware enables just about anyone to conduct cybercrime. With all the support for bug fixes and developments, it’s astonishing to think that these malware services have evolved using traditional business models. Moreover, it allows cyber criminals to easily start a RaaS business with the free additional safety of an online anonymity framework from Tor service and Bitcoin.

Although we haven’t seen this ransomware in the wild, with the advertisements being made accessible on hacking forums it’s only a matter of time until people start taking the bait.

-= FortiGuard Lion Team =-

*Special thanks to my team mate Joie Salvio for additional insights

 

IOCs

Dot Ransomware will be proactively detected as W32/Filecoder.DOT!tr

SHA256

core.exe - db43d7c41da0223ada39d4f9e883611e733652194c347c78efcc439fde6dde1c

 

builder.zip - dd03307aa51cfb1c5a3c3fafc65729ad5b50a764354ef3919b7f9d0b4c6142a5

 

DotRansomwareBuilder.exe - fb250ebe87db2c01cc13abed8bbdd66e0670071c0d51c56215ab86de6ed1c738

 

Dropped Files:

%Temp%\ReadMe-{3char}.html

{Infected directory}\ReadMe-{3char}.html

 

 

 

Setup Guide.txt

Recommended attacked file extensions:

001|1dc|3ds|3fr|7z|a3s|acb|acbl|accdb|act|ai|ai3|ai4|ai5|ai6|ai7|ai8|aia|aif|aiff|aip|ait|anim|apk|arch00|ari|art|arw|asc|ase|asef|asp|aspx|asset|avi|bar|bak|bay|bc6|bc7|bgeo|big|bik|bkf|bkp|blob|bmp|bsa|c|c4d|cap|cas|catpart|catproduct|cdr|cef|cer|cfr|cgm|cha|chr|cld|clx|cpp|cr2|crt|crw|cs|css|csv|cxx|d3dbsp|das|dayzprofile|dazip|db|db0|dbf|dbfv|dcr|dcs|der|desc|dib|dlc|dle|dlv|dlv3|dlv4|dmp|dng|doc|docm|docx|drf|dvi|dvr|dwf|dwg|dxf|dxg|eip|emf|emz|epf|epk|eps|eps2|eps3|epsf|epsp|erf|esm|fbx|ff|fff|fh10|fh11|fh7|fh8|fh9|fig|flt|flv|fmod|forge|fos|fpk|fsh|ft8|fxg|gdb|ge2|geo|gho|h|hip|hipnc|hkdb|hkx|hplg|hpp|hvpl|hxx|iam|ibank|icb|icxs|idea|iff|iiq|indd|ipt|iros|irs|itdb|itl|itm|iwd|iwi|j2k|java|jp2|jpe|jpeg|jpf|jpg|jpx|js|k25|kdb|kdc|kf|kys|layout|lbf|lex|litemod|lrf|ltx|lvl|m|m2|m2t|m2ts|m3u|m4a|m4v|ma|map|mat|mb|mcfi|mcfp|mcgame|mcmeta|mdb|mdbackup|mdc|mddata|mdf|mdl|mdlp|mef|mel|menu|mkv|mll|mlx|mn|model|mos|mp|mp4|mpqge|mrw|mrwref|mts|mu|mxf|nb|ncf|nef|nrw|ntl|obm|ocdc|odb|odc|odm|odp|ods|odt|omeg|orf|ott|p12|p7b|p7c|pak|pct|pcx|pdd|pdf|pef|pem|pfx|php|php4|php5|pic|picnc|pkpass|png|ppd|ppt|pptm|pptx|prj|prt|prtl|ps|psb|psd|psf|psid|psk|psq|pst|ptl|ptx|pwl|pxn|pxr|py|qdf|qic|r3d|raa|raf|rar|raw|rb|re4|rgss3a|rim|rofl|rtf|rtg|rvt|rw2|rwl|rwz|sav|sb|sbx|sc2save|shp|sid|sidd|sidn|sie|sis|skl|skp|sldasm|sldprt|slm|slx|slxp|snx|soft|sqlite|sqlite3|sr2|srf|srw|step|stl|stp|sum|svg|svgz|swatch|syncdb|t12|t13|tax|tex|tga|tif|tiff|tor|txt|unity3d|uof|uos|upk|vda|vdf|vfl|vfs0|vpk|vpp_pc|vst|vtf|w3x|wb2|wdx|wma|wmo|wmv|wallet|ycbcra|wotreplay|wpd|wps|x3f|xf|xl|xlk|xls|xlsb|xlsm|xlsx|xvc|xvz|xxx|zdct|zip|ztmp|py|rb|tar|gz|sdf|yuv|max|wav|dat

 

Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.

by RSS Rommel Joven  |  Mar 02, 2017  |  Filed in: Security Research