Saturday, January 25, 2025
HomeRansomwareCyber Security Firm Checkpoint Software Found Two New Ransomware Families And Built...

Cyber Security Firm Checkpoint Software Found Two New Ransomware Families And Built Their Decryptors

Published on

SIEM as a Service

Follow Us on Google News

Attacks are more successful when effective countermeasures are not in place.  Security firms are consistently developing and releasing anti-ransomware applications and decryption tools in response to the threat.

Checkpoint found that ransomware attacks are surging, with their Global Threat Index showing that the number of ransomware attacks using Locky and Cryptowall increased by 10%.

Check Point’s Threat Intelligence Team reveals two new ransomware samples that were found in the wild, but also the decryption solutions which can help victims retrieve their lost data free of charge.

1– DeriaLock: Ransomware Evolving Within Hours

DeriaLock is a ransomware-type virus discovered by Karsten Hahn. There are two variants of this malware. The first locks the screen and displays a ransom-demand message.

The second encrypts files and appends the “.deria” extension to the name of each compromised file (e.g., “sample.jpg” is renamed to “sample.jpg.deria“). A pop-up window with a ransom-demand message is then displayed.

The screen-locking version contains a message stating that the computer has been locked and that a $30 ransom must be paid to unlock it.

The message is supposedly translated to German and Spanish, however, only the German version’s “Explain” button works. To submit payment, victims must contact DeriaLocker’s developers via Skype (“ARIZONACODE” Skype name).

The payment method is currently unknown. The Spanish version encrypts files and demands a $20/€20 ransom.

Check Point researchers have found a way to exploit several flaws in its implementation and created a decryption tools that helps you recover your files and avoid payment altogether.

Checkpoint found that ransomware attacks are surging, with their Global Threat Index showing that the number of ransomware attacks using Locky and Cryptowall

How to retrieve your files?

Please use the below decryption tool with caution.

  1. The decryptor is effective for the current version of the ransomware. As security companies and hackers are in an eternal cat and mouse chase, there is a chance that the attackers will remediate their vulnerabilities which allowed us to decrypt the files. Therefore, Check Point does not take responsibility for unsuccessful attempts to decrypt files using this tool.
  2. Before initiating the decryption process we recommend backing up your hard-disk.
  3. Make sure you are familiar with the specific procedure for how to reach to your safe mode during rebooting.
  4. If you fail to get into safe mode ALL YOUR FILES WILL BE DELETED.

 User manual:

After reading and familiarizing yourself with the cautions –

  1. Restart the computer into safe-mode
  2. Go to C:\users\%user name%\appdata\roaming\microsoft\windows\start menu\programs\startup\
  3. Look for either LOGON.exe or SystemLock.exe and delete them.

(the ‘Date Modified’ of them would be the infection date)

  1. Restart the computer again
  2. Download and execute the decryptor *
  3. Click the “I PAY GET MY FILES BACK NOW!” button.

2 – PHP Ransomware

checkpoint also discovered in the wild a new ransomware in the form of a PHP script. We first encountered it when accessing the domain hxxp://med-lex[.]com.

Although the PHP ransomware encrypts the victim’s files, it’s tricky to call it a “ransomware” per-se.

Extensions are of the following:

zip, rar, r00 ,r01 ,r02 ,r03, 7z, tar, gz, gzip, arc, arj, bz, bz2, bza, bzip ,bzip2, ice, xls, xlsx, doc, docx, pdf ,djvu ,fb2,rtf, ppt, pptx, pps, sxi, odm, odt, mpp, ssh, pub, gpg, pgp, kdb, kdbx, als, aup, cpr, npr, cpp, bas, asm, cs, php, pas, class, py, pl, h, vb ,vcproj, vbproj, java, bak, backup, mdb, accdb, mdf, odb, wdb, csv, tsv, sql, psd, eps, cdr, cpt, indd, dwg, ai, svg, max, skp, scad, cad, 3ds, blend, lwo, lws, mb, slddrw, sldasm, sldprt, u3d, jpg, jpeg, tiff, tif, raw, avi, mpg, mp4, m4v, mpeg, mpe, wmf, wmv, veg, mov, 3gp, flv, mkv, vob, rm, mp3, wav, asf, wma, m3u, midi, ogg, mid, vdi, vmdk, vhd, dsk, img, iso         

PHP malware

Notably, most content and management systems, such as WordPress, Joomla and Drupal, use PHP.

In other words, if a crook has your blog password and can upload files to your server, or if you have an unpatched server plugin that allows him to modify files that are supposed to be write-protected, and he can alter one or more of your PHP files…

…then he can install a payload on your website that will trigger whenever anyone happens to visit the booby-trapped page.

Indeed, he can activate the payload himself at will by accessing the page himself in what appears to be an entirely innocent web request.

That’s how the malware known as Troj/PHPRansm-B works.

It infects your server with a file called index.php that contains:

  • File encrypting and decrypting code using PHP.
  • Style-sheet information using CSS, plus inline images.
  • A “pay page” using HTML and JavaScript.

The file encryption doesn’t happen every time the page is viewed, only when the crook himself submits a specially-formatted upload request in which he specifies two passwords, a “test” password and a “full” password.

Once the encryption is kicked off, two randomly-chosen files are encrypted with the test password, and the rest with the full password. (The encryption uses the AES cipher in CBC mode.)

Anyone else visiting the page – embarrassingly, this may very well include your prospects and customers – will see a warning page like this:

Checkpoint found that ransomware attacks are surging, with their Global Threat Index showing that the number of ransomware attacks using Locky and Cryptowall

How to decrypt your files?

 Even though the encryption seems irreparable at first, we were able to develop a decryptor which allows victims of the PHP ransomware to restore their original files without difficulty.

  1. Download the decryptor to the infected device*
  2. Execute the decryptor – once it starts running it will look for affected files and revert them to their original form

Know More about Ransomware and its evaluation in 2016 –Click Here

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

HellCat and Morpheus Ransomware Share Identical Payloads for Attacks

The cybersecurity landscape witnessed a surge in ransomware activity during the latter half of...

BASHE Ransomware Allegedly Leaked ICICI Bank Customers Data

A major cyber threat looms over Indian financial giant ICICI Bank as the notorious...

North Korean IT Workers Steal Companies Source Codes to Demand Ransomware

The Federal Bureau of Investigation (FBI) has issued fresh warnings about malicious activities by...