A new piece of ransomware is easy to update and it uses open source software to encrypt files on infected computers.
Trend Micro and Symantec analyzed the malware, called BAT_CRYPTOR.A and Trojan.Ransomcrypt.L, respectively. Once it infects a computer, the ransomware uses GNU Privacy Guard (GnuPG), an open source implementation of the OpenPGP standard, to encrypt files and hold them for ransom.
The main component of Ransomcrypt is a batch file that enables the attackers to easily update the malware and control its behavior, Symantec said.
“The threat downloads the 1024-bit RSA public key and imports this key through an option in GnuPG. The malware then encrypts the victims’ files by using GnuPG’s Encrypt Files option with the public key. If the user wants to decrypt the affected files, they need the private key, which the malware author owns. It’s difficult for victims to decrypt the encrypted files without this private key,” Symantec’s Kazumasa Itabashi said in a blog post.
Trend Micro said GnuPG does not need to undergo installation on infected systems for the ransomware to perform its encryption routines. The malware can download a copy of the application if necessary.
Once the files end up encrypted, the malware renames them to “[file name].paycrypt@gmail_com.” Then, a text document written in Russian informs victims that they have to pay $200 to recover their files. Users then need to contact a specified email address for information on how to decrypt the compromised files.
In addition to BAT_CRYPTOR.A, Trend Micro found another new crypto ransomware which it named Cryptoblocker (TROJ_CRYPTFILE.SM). Unlike BAT_CRYPTOR.A, this threat doesn’t target only Russian speakers. Infections are in several countries, but the most affected are the United States (28 percent of infections), France (17 percent), Japan (10 percent), Spain (8 percent) and Italy (7 percent).
“This malware does not use CryptoAPIs, a marked difference from other ransomware. CryptoAPIs are used to make RSA keys, which were not used with this particular malware. This is an interesting detail considering RSA keys would make decrypting files more difficult. Instead, we found that the advanced encryption standard (AES) is found in the malware code,” Trend Micro Research Engineer Eduardo Altares II said in a blog post.
Trend Micro believes Cryptoblocker might be the creation of inexperienced malware writers because they did not remove compiler notes from the code, allowing security researchers to detect the files they create.