A new strain of ransomware actually makes good on its threat, doing what the majority of other varieties only claim to do. This Trojan is capable of encrypting data on infected machines, effectively rendering certain files inaccessible to users on compromised computers in order to block removal.
This new version of the otherwise well-known police ransomware Trojan is unique in that it really does fulfill its promise.
Most ransomeware campaigns deploy a familiar warning, asserting that some crime has been committed by the user and that the user’s machine will remain locked down or encrypted until that user pays the fine associated with their transgression, according to a report by Hynek Blinka on the AVG News and Threats blog.
In most cases, it is possible to find the malware and then remove it without paying the fine (which may or may not resolve the problem anyway). In this case however, Blinka found the Trojan encrypting images, documents and executables in an attempt to hinder any removal attempts. Whomever is responsible for the malware is not in the business of completely crippling machines, so Windows system files are not included in the forced encryption. Infected computers will still function for the most part, but data will be lost and many third-party programs will not work.
According to the report, upon execution, the malware randomly brings either ctfmon.exe or svchost.exe and injects its own code there. The injected system process then reportedly executes a copy from the %TEMP% folder, creating ctfmon.exe or svchost.exe child processes with the injected code, which is just where things get interesting.
First the malware generates a unique computer ID, then it uses that ID and the fixed string “QQasd123zxc” to produce an encryption key with crypto API functions like “advapi32!CryptHashData” and “advapi32!CryptDeriveKey” so the attacker can create the same key each time he uses that string. Now the malware sends requests with the computer ID back to its command and control server, encrypting its communications on the server with the first key and allowing the Trojan to decrypt them on the infected computers.
Next, a second key is created using “advapi32!CryptGenKey.” Blinka said this function will create a random key each time it sees use and cannot be recreated (unlike the first). From here, an RSA 2 blob exports from the second key and encrypted by the first before being encoded by base64 and send back to the C&C server, paired in the attackers database with the computer ID.
Lastly, the list of files that the malware wants to encrypt is determined, and they are encrypted by “advapi32!CryptEncrypt” using the second key before the well-known ransom note shows up on a victim’s locked screen.
At this point, the attacker has the second key and could decrypt the encrypted files if he or she so desires. The malware also reportedly compounds its victim’s woes by disabling regedit, the task manager, and msconfig. AVG is detecting the virus as “Trojan horse Generic31.LBT” and identifying its MD5 as “51B046256DB58B603A27EBA8DEE05479.”