by RSS Rommel Abraham D Joven  |  Jun 17, 2016  |  Filed in: Security Research

Fortinet recently encountered a new ransomware variant that targets a Russian-speaking audience. The file is hosted on a Russian file hosting site, and is likely propagated via drive-by download. It encrypts files and appends the extension with crypt38.

The malware author asks for 1000 Rubles – around $15 USD- and places his/her email address as the contact to retrieve the unlock code: 

Figure 01. Ransom Note

The above ransome note can be roughly translated to:

“Your data is encrypted!
The cost of deciphering : 1000 rubles                       Unlock Code : ___________
Your ID: 576070104701
Send it to                                             [Decrypt]
Do not delete or edit files .crypt38 and virus files, or restore the data will not work!”

Behavioral Analysis

Crypt38 first checks to see if it’s already running in %Appdata%\Microsoft\Windows. If not, it will drop and run a copy of itself as %Appdata%\Microsoft\Windows\lsass.exe.

Figure 02. Drop Lsass.exe

Once the malware is running in its designed file path, it will add itself to the registry to run at start up.

Figure 03. Enable Autorun

key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

value: lsass

data: %Appdata%\lsass.exe

Victim ID and Key Creation

Crypt38 creates a victim ID by randomly generating 12 numeric values as shown below. 

Figure 04. Victim ID Creation

Once the victim ID is created, Crypt38 uses this to create a Key for encrypting files. It copies the victim ID then takes each indices’ value and uses the operation of (num*num*num)modulo10 and then appends “6551” to create the key. The key is then stored in %Appdata%\Microsoft\Windows\request.bin.

Figure 05. Key Generation

File Encryption

The ransomware begins by enumerating the targeted files to be encrypted. It lists all drives from A to Z, and after it loads all files in specific drive,s it compares the file path to its blacklist.

Crypt38 will not infect files which contains the following in their file path: 

Windows, msocache, Program Files, Program Files(x86)

It will encrypt files with the following file extension:

.txt .pdf .html .rtf .dwg .cdw .max .psd .3dm .3ds .dxf .ps .ai .svg .indd .cpp .pas .php .cs .py .java .class .fla .pl .sh .jpg .jpeg .jps .bmp .tiff .avi .mov .mp4 .amr .aac .doc .docx .xls .xlsx .ppt .pptx .accdb .odt .odp .odx .ibooks .xlp .db .dbf .mdf .sdf .mdb .sql .rar .7z .zip .vcf .cer .csr .torrent .otl .report .key .csv .xml

Afterwards, once the targeted files have all been filtered, it starts encrypting files with a symmetric algorithm that uses the generated key. 

Figure 06. File Encryption

It then proceeds to append the extension .crypt38 to encrypted files.

Figure 07. Encrypted Data

The Good News

Since the encryption algorithm used is symmetric, the key for the decryption of files is the same key that was generated for encryption, which means it can be used to decrypt ransomed files without paying the ransom. 

Figure 08. Condition to Decrypt

To determine the Key for this sample, we use the following:

victim_ID = [12 numbers]
unlock_key = “”
     num= num*num*num%10
     unlock_key += num
unlock_key+= “6551”

Once the unlock_key is generated, we can use this key to decrypt the files. Entering the correct unlock code presents the window below.

Figure 09. Window for Correct Code

This window roughly translates to:

The correct code. 
Please make sure that all connected drives, which are .crypt38 files and click OK

After clicking OK, the malware decrypts all the files and shows this window:

Figure 10.Decrypting Window

The malware then removes all added folders and deletes the auto run registry after decrypting the files. However, it doesn’t delete itself. 


While our analysis indicates that this malware is a work of an inexperienced cybercriminal, the appearance of this ransomware suggests that more and more ransomware attacks are targeting specific regions.

Fortiguard will continue to monitor Crypt38 ransomware and other developments in the ransomware scene.

-= FortiGuard Lion Team =-


Sha256: 06e62eec96b8a6fa5bd1294b4cc2a20e4c22641ad06045fd8fa0c6b9cb8dd620

Detected as: W32/Crypt38.A!tr


Added Files:

%Appdata%\lsass.exe - copy of itself

%Appdata%\request.bin – contains Victim ID


Added Folder:

{root drive} \ow4386747

Added Registry:

key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

value: lsass

data: %Appdata%\lsass.exe

by RSS Rommel Abraham D Joven  |  Jun 17, 2016  |  Filed in: Security Research
Tags: ransomware

comments powered by Disqus