In how many cases do bad guys reverse engineer a product or a vulnerability and build themselves a quality attack?
In a twist, one student found a piece of ransomware, reverse engineered it and built a nice little defense mechanism.
University of Sussex student Simon Bell reverse-engineered the Android Simplocker (Simplelocker) ransomware, and created a Java program that can convert into an Android app to decrypt the files encrypted by the malware.
Simplocker first came to light by ESET researchers earlier this month. The malware scans the SD card for certain file types, encrypts them using AES, and demands a ransom in order to decrypt the files.
“Our analysis of the Android/Simplock.A sample revealed that we are most likely dealing with a proof-of-concept or a work in progress – for example, the implementation of the encryption doesn’t come close to ‘the infamous Cryptolocker’ on Windows,” the researchers pointed out at the time, and advised against paying the ransom, as there is no guarantee the crooks will keep their part of the bargain and decrypt the files upon receiving the money.
Bell said the creators of the malware didn’t use code obfuscation techniques, which allowed him to dissect it easily.
“The antidote for this ransomware was incredibly easy to create because the ransomware came with both the decryption method and the decryption password. Therefore producing an antidote was more of a copy-and-paste job than anything,” he said in a blog.
“It’s also worth noting that while this antidote doesn’t detect the decryption password automatically, it could be possible to do so. However, future versions of the ransomware will probably not reveal the decryption password so easily and will likely receive it from the C&C server,” he said. Future versions of this and other ransomware will likely prove significantly harder to reverse-engineer, he said.