Cyber Security Firm Checkpoint Software Found Two New Ransomware Families And Built Their Decryptors

Attacks are more successful when effective countermeasures are not in place.  Security firms are consistently developing and releasing anti-ransomware applications and decryption tools in response to the threat.

Checkpoint found that ransomware attacks are surging, with their Global Threat Index showing that the number of ransomware attacks using Locky and Cryptowall increased by 10%.

Check Point’s Threat Intelligence Team reveals two new ransomware samples that were found in the wild, but also the decryption solutions which can help victims retrieve their lost data free of charge.

1– DeriaLock: Ransomware Evolving Within Hours

DeriaLock is a ransomware-type virus discovered by Karsten Hahn. There are two variants of this malware. The first locks the screen and displays a ransom-demand message.

The second encrypts files and appends the “.deria” extension to the name of each compromised file (e.g., “sample.jpg” is renamed to “sample.jpg.deria“). A pop-up window with a ransom-demand message is then displayed.

The screen-locking version contains a message stating that the computer has been locked and that a $30 ransom must be paid to unlock it.

The message is supposedly translated to German and Spanish, however, only the German version’s “Explain” button works. To submit payment, victims must contact DeriaLocker’s developers via Skype (“ARIZONACODE” Skype name).

The payment method is currently unknown. The Spanish version encrypts files and demands a $20/€20 ransom.

Check Point researchers have found a way to exploit several flaws in its implementation and created a decryption tools that helps you recover your files and avoid payment altogether.

How to retrieve your files?

Please use the below decryption tool with caution.

1. The decryptor is effective for the current version of the ransomware. As security companies and hackers are in an eternal cat and mouse chase, there is a chance that the attackers will remediate their vulnerabilities which allowed us to decrypt the files. Therefore, Check Point does not take responsibility for unsuccessful attempts to decrypt files using this tool.
2. Before initiating the decryption process we recommend backing up your hard-disk.
3. Make sure you are familiar with the specific procedure for how to reach to your safe mode during rebooting.
4. If you fail to get into safe mode ALL YOUR FILES WILL BE DELETED.

 User manual:

After reading and familiarizing yourself with the cautions –

1. Restart the computer into safe-mode
2. Go to C:\users\%user name%\appdata\roaming\microsoft\windows\start menu\programs\startup\
3. Look for either LOGON.exe or SystemLock.exe and delete them.

(the ‘Date Modified’ of them would be the infection date)

4. Restart the computer again
5. Download and execute the decryptor *
6. Click the “I PAY GET MY FILES BACK NOW!” button.

2 – PHP Ransomware

checkpoint also discovered in the wild a new ransomware in the form of a PHP script. We first encountered it when accessing the domain hxxp://med-lex[.]com.

Although the PHP ransomware encrypts the victim’s files, it’s tricky to call it a “ransomware” per-se.

Extensions are of the following:

zip, rar, r00 ,r01 ,r02 ,r03, 7z, tar, gz, gzip, arc, arj, bz, bz2, bza, bzip ,bzip2, ice, xls, xlsx, doc, docx, pdf ,djvu ,fb2,rtf, ppt, pptx, pps, sxi, odm, odt, mpp, ssh, pub, gpg, pgp, kdb, kdbx, als, aup, cpr, npr, cpp, bas, asm, cs, php, pas, class, py, pl, h, vb ,vcproj, vbproj, java, bak, backup, mdb, accdb, mdf, odb, wdb, csv, tsv, sql, psd, eps, cdr, cpt, indd, dwg, ai, svg, max, skp, scad, cad, 3ds, blend, lwo, lws, mb, slddrw, sldasm, sldprt, u3d, jpg, jpeg, tiff, tif, raw, avi, mpg, mp4, m4v, mpeg, mpe, wmf, wmv, veg, mov, 3gp, flv, mkv, vob, rm, mp3, wav, asf, wma, m3u, midi, ogg, mid, vdi, vmdk, vhd, dsk, img, iso         

PHP malware

Notably, most content and management systems, such as WordPress, Joomla and Drupal, use PHP.

In other words, if a crook has your blog password and can upload files to your server, or if you have an unpatched server plugin that allows him to modify files that are supposed to be write-protected, and he can alter one or more of your PHP files…

…then he can install a payload on your website that will trigger whenever anyone happens to visit the booby-trapped page.

Indeed, he can activate the payload himself at will by accessing the page himself in what appears to be an entirely innocent web request.

That’s how the malware known as Troj/PHPRansm-B works.

It infects your server with a file called index.php that contains:

• File encrypting and decrypting code using PHP.
• Style-sheet information using CSS, plus inline images.
• A “pay page” using HTML and JavaScript.

The file encryption doesn’t happen every time the page is viewed, only when the crook himself submits a specially-formatted upload request in which he specifies two passwords, a “test” password and a “full” password.

Once the encryption is kicked off, two randomly-chosen files are encrypted with the test password, and the rest with the full password. (The encryption uses the AES cipher in CBC mode.)

Anyone else visiting the page – embarrassingly, this may very well include your prospects and customers – will see a warning page like this:

How to decrypt your files?

 Even though the encryption seems irreparable at first, we were able to develop a decryptor which allows victims of the PHP ransomware to restore their original files without difficulty.

1. Download the decryptor to the infected device*
2. Execute the decryptor – once it starts running it will look for affected files and revert them to their original form

Know More about Ransomware and its evaluation in 2016 –Click Here