Friday, September 13, 2024
HomeRansomwareCyber Security Firm Checkpoint Software Found Two New Ransomware Families And Built...

Cyber Security Firm Checkpoint Software Found Two New Ransomware Families And Built Their Decryptors

Published on

Attacks are more successful when effective countermeasures are not in place.  Security firms are consistently developing and releasing anti-ransomware applications and decryption tools in response to the threat.

Checkpoint found that ransomware attacks are surging, with their Global Threat Index showing that the number of ransomware attacks using Locky and Cryptowall increased by 10%.

Check Point’s Threat Intelligence Team reveals two new ransomware samples that were found in the wild, but also the decryption solutions which can help victims retrieve their lost data free of charge.

- Advertisement - EHA

1– DeriaLock: Ransomware Evolving Within Hours

DeriaLock is a ransomware-type virus discovered by Karsten Hahn. There are two variants of this malware. The first locks the screen and displays a ransom-demand message.

The second encrypts files and appends the “.deria” extension to the name of each compromised file (e.g., “sample.jpg” is renamed to “sample.jpg.deria“). A pop-up window with a ransom-demand message is then displayed.

The screen-locking version contains a message stating that the computer has been locked and that a $30 ransom must be paid to unlock it.

The message is supposedly translated to German and Spanish, however, only the German version’s “Explain” button works. To submit payment, victims must contact DeriaLocker’s developers via Skype (“ARIZONACODE” Skype name).

The payment method is currently unknown. The Spanish version encrypts files and demands a $20/€20 ransom.

Check Point researchers have found a way to exploit several flaws in its implementation and created a decryption tools that helps you recover your files and avoid payment altogether.

Checkpoint found that ransomware attacks are surging, with their Global Threat Index showing that the number of ransomware attacks using Locky and Cryptowall

How to retrieve your files?

Please use the below decryption tool with caution.

  1. The decryptor is effective for the current version of the ransomware. As security companies and hackers are in an eternal cat and mouse chase, there is a chance that the attackers will remediate their vulnerabilities which allowed us to decrypt the files. Therefore, Check Point does not take responsibility for unsuccessful attempts to decrypt files using this tool.
  2. Before initiating the decryption process we recommend backing up your hard-disk.
  3. Make sure you are familiar with the specific procedure for how to reach to your safe mode during rebooting.
  4. If you fail to get into safe mode ALL YOUR FILES WILL BE DELETED.

 User manual:

After reading and familiarizing yourself with the cautions –

  1. Restart the computer into safe-mode
  2. Go to C:\users\%user name%\appdata\roaming\microsoft\windows\start menu\programs\startup\
  3. Look for either LOGON.exe or SystemLock.exe and delete them.

(the ‘Date Modified’ of them would be the infection date)

  1. Restart the computer again
  2. Download and execute the decryptor *
  3. Click the “I PAY GET MY FILES BACK NOW!” button.

2 – PHP Ransomware

checkpoint also discovered in the wild a new ransomware in the form of a PHP script. We first encountered it when accessing the domain hxxp://med-lex[.]com.

Although the PHP ransomware encrypts the victim’s files, it’s tricky to call it a “ransomware” per-se.

Extensions are of the following:

zip, rar, r00 ,r01 ,r02 ,r03, 7z, tar, gz, gzip, arc, arj, bz, bz2, bza, bzip ,bzip2, ice, xls, xlsx, doc, docx, pdf ,djvu ,fb2,rtf, ppt, pptx, pps, sxi, odm, odt, mpp, ssh, pub, gpg, pgp, kdb, kdbx, als, aup, cpr, npr, cpp, bas, asm, cs, php, pas, class, py, pl, h, vb ,vcproj, vbproj, java, bak, backup, mdb, accdb, mdf, odb, wdb, csv, tsv, sql, psd, eps, cdr, cpt, indd, dwg, ai, svg, max, skp, scad, cad, 3ds, blend, lwo, lws, mb, slddrw, sldasm, sldprt, u3d, jpg, jpeg, tiff, tif, raw, avi, mpg, mp4, m4v, mpeg, mpe, wmf, wmv, veg, mov, 3gp, flv, mkv, vob, rm, mp3, wav, asf, wma, m3u, midi, ogg, mid, vdi, vmdk, vhd, dsk, img, iso         

PHP malware

Notably, most content and management systems, such as WordPress, Joomla and Drupal, use PHP.

In other words, if a crook has your blog password and can upload files to your server, or if you have an unpatched server plugin that allows him to modify files that are supposed to be write-protected, and he can alter one or more of your PHP files…

…then he can install a payload on your website that will trigger whenever anyone happens to visit the booby-trapped page.

Indeed, he can activate the payload himself at will by accessing the page himself in what appears to be an entirely innocent web request.

That’s how the malware known as Troj/PHPRansm-B works.

It infects your server with a file called index.php that contains:

  • File encrypting and decrypting code using PHP.
  • Style-sheet information using CSS, plus inline images.
  • A “pay page” using HTML and JavaScript.

The file encryption doesn’t happen every time the page is viewed, only when the crook himself submits a specially-formatted upload request in which he specifies two passwords, a “test” password and a “full” password.

Once the encryption is kicked off, two randomly-chosen files are encrypted with the test password, and the rest with the full password. (The encryption uses the AES cipher in CBC mode.)

Anyone else visiting the page – embarrassingly, this may very well include your prospects and customers – will see a warning page like this:

Checkpoint found that ransomware attacks are surging, with their Global Threat Index showing that the number of ransomware attacks using Locky and Cryptowall

How to decrypt your files?

 Even though the encryption seems irreparable at first, we were able to develop a decryptor which allows victims of the PHP ransomware to restore their original files without difficulty.

  1. Download the decryptor to the infected device*
  2. Execute the decryptor – once it starts running it will look for affected files and revert them to their original form

Know More about Ransomware and its evaluation in 2016 –Click Here

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Citrix Workspace App Vulnerable to Privilege Escalation Attacks

Citrix released a security bulletin (CTX691485) detailing two critical vulnerabilities in the Citrix Workspace...

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

Hackers Exploiting Apache OFBiz RCE Vulnerability in the Wild

A critical vulnerability in the Apache OFBiz framework has been actively exploited by hackers....

Docker Desktop Vulnerabilities Let Attackers Execute Remote Code

Docker has addressed critical vulnerabilities in Docker Desktop that could allow attackers to execute...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

CosmicBeetle Exploiting Old Vulnerabilities To Attacks SMBs All Over The World

CosmicBeetle, a threat actor specializing in ransomware, has recently replaced its old ransomware, Scarab,...

New Developer-As-A-Service In Hacking Forums Empowering Phishing And Cyberattacks

SCATTERED SPIDER, a ransomware group, leverages cloud infrastructure and social engineering to target insurance...

New RansomHub Attack Killing Kaspersky’s TDSSKiller To Disable EDR

RansomHub has recently employed a novel attack method utilizing TDSSKiller and LaZagne, where TDSSKiller,...