Tag Archives: Lawrence Abrams

SyncCrypt: Getting the Ransomware Picture?

Lawrence Abrams, for Bleeping Computer, describes how the SyncCrypt Ransomware Hides Inside JPG Files, Appends .KK Extension.

The article describes ransomware discovered by EmsiSoft’s xXToffeeXx, distributed as spam attachments containing WSF (Windows Script File) objects. The WSF script pulls down images containing embedded Zip files. Abrams reports that the ‘WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf.’

VirusTotal searches today indicate that detection is rising of the image file for which a hash is provided, but still lower than the detection rate for the executable, which the majority of mainstream security products now detect. The JPGs are not directly harmful, but the embedded Zip file contains the malicious sync.exe executable. Detection of the WSF file for which a hash is provided is also lower than for the executable.

There’s no free decryption for affected data at this time.

IOCs, filenames etc. are appended to the Bleeping Computer analysis.

David Harley


Reyptson Ransomware

Lawrence Abrams for Bleeping Computer: Reyptson Ransomware Spams Your Friends by Stealing Thunderbird Contacts. He says:

‘…unfortunately there is no way to decrypt this ransomware currently for free. We have, though, setup a dedicated Reyptson Support & Help Topic for those who wish to discuss it or ask questions.’

Announcement by EMSIsoft’s @PolarToffee.

Notes from @malwrhunterteam

David Harley

CryptXXX 3.0: gang breaks own decryptor

On May 24th 2016, the CryptXXX situation took a turn for the worse. Lawrence Abrams reported for Bleeping Computer that CryptXXX version 3.0 not only prevented Kaspersky’s RannohDecryptor from enabling victims to decrypt their files for free, but also had the (presumably unintended) effect of breaking the criminals’ own decryption key. In other words, even paying the ransom doesn’t, at the time of writing, guarantee that you’ll get a working decryptor. When a ransomware gang screws up, it doesn’t always work to the benefit of the victim.

Bleeping Computer has some resources specific to CryptXXX: CryptXXX Support & Help Topic; the CryptXXX Ransomware Help, Information Guide, and FAQ.

David Harley

Ransomware: the gift cards that keep on giving

While Bitcoin (and its competitors/peers, potentially, I suppose) have obvious advantages for the extortionist, we’ve seen a curious shift towards other forms of ransom payment recently. I described in Music-Loving Android.Locker Ransomware malware that demands payment in iTunes gift cards, while Lawrence Abrams for Bleeping Computer reports on something called TrueCrypter that demands payment either as 0.2 bitcoins or as $115 in Amazon gift cards: TrueCrypter Ransomware accepts payment in Bitcoins or Amazon Gift Card.

He also mentions an unnamed Android screen locker that also demands Amazon gift cards. He observes:

This is an odd choice of a ransom payment as the Amazon Gift Card funds can easily be tracked by Amazon.  This, and the fact that the payment confirmation system is broken, makes me believe that this program was made by an amateur rather than a seasoned malware developer.

He has a point, but I’m told there are forums where gift cards might be ‘laundered’ before they turn up in the virtual economy. Still, TrueCrypter looks very amateur for other reasons, too. Just clicking on the ‘Pay’ button decrypts your files. I suspect that won’t always be the case, though.

David Harley

Petya – cracking the encryption for free

A flaw in Petya – the current version, at least – has allowed an unidentified researcher to create a key generator to crack the encryption without paying 0.9 bitcoin to the criminals. BBC story: Petya ransomware encryption system cracked. Commentary by David Bisson for Graham Cluley’s blog: Infected by Petya ransomware? Use this tool to unlock your files… for nowThank goodness ransomware sometimes contains bugs too… And the website set up to help people with the generation: unfortunately, the average victim will have problems getting the information necessary to kickstart the process.

Confirmed by Lawrence Abrams of Bleeping Computer.

David Harley

Petya Ransomware: information sources

I’m in the middle of moving house and not able to comment at length, but here are some sources for commentary on the Petya ransomware, which, as Bleeping Computer puts it, skips the files and encrypts your hard disk instead. Note that repairing the Master Boot Record doesn’t recover your data.

Darren Pauli for the Register: Ransomware now using disk-level encryption – German firms fleeced by ‘Petya’ nastyware that performs fake CHKDSK . Cites discussion on KernelMode.info forums.

David Bisson for Graham Cluley’s blog: Petya ransomware goes for broke and encrypts hard drive Master File Tables – Chances are you’ll notice you’ve got a problem when the red skull appears during boot-up… He cites Jasen Sumalapao, writing for Trend Micro.

David Harley 


Tripping over EDA2 Backdoor Threshold

Lawrence Abrams describes for Bleeping Computer a not-all-that-common happy ending (at least for the moment): Pompous Ransomware Dev Gets Defeated by Backdoor.

The story concerns a scammer who borrowed the open-source EDA2 ransomware on which to base his ransomware, took advantage of the opportunity to lecture his victims while assuming bragging rights to which he was not entitled, since a backdoor in EDA2 allowed recovery of the decryption keys. Unfortunately, some of his victims have already paid the ransom for their particular decryption keys.

David Harley

Cerber Ransomware: a Word in your Ear

Lawrence Abrams, for Bleeping Computer, reports that The Cerber Ransomware not only Encrypts Your Data But Also Speaks to You. Files are AES encrypted, a ransom starting at 1.24 Bitcoins is demanded, and there is currently no way of restoring encrypted files (except from backup of course) for free. And this ransomware, apparently offered as a service on a ‘closed underground Russian forum’, clearly wants to make it very clear that it’s struck: not only does it litter a victimized PC with ransom notes, but it also creates a VBS script that generates an audio message telling the victim that “Your documents, photos, databases and other important files have been encrypted!”

Other commentary by Shell Spawner$ and by David Bisson for Graham Cluley’s blog: Cerber ransomware speaks to you: ‘Your files are encrypted’ – If your files have a .CERBER extension, you don’t need malware to tell you you’ve got a problem

Information added to the Ransomware Resources page.

David Harley