Tag Archives: Jakub Kroustek

Crypt888 Ransomware Has Facelift as It Seeks Fresh Victims

We’ve been following the slow evolution of an interesting strain of ransomware we have named ‘Crypt888’, which is unlike other strains that have reported on over the past few months.

 

Crypt888 has been focused on experimenting with user interfaces rather than improving its code, serving up ransom instructions in a variety of languages including Italian and, most recently, Czech.

In June 2016, AVG’s Virus Lab released six free decryptors for the recent strains of ransomware. We continue to monitor the situation, ready to update the tools as the ransomware evolved.

Our research uncovered one strain, Crypt888, behaving differently to the others. Instead of improving the code, the malware authors were focused on experimenting with the user interfaces such as changing the language of the ransom message.

This means that the underlying Autolt script remains the same in the previous versions … but oddly, the ransom instructions are served up in the Czech language only in the latest version.

This is how we identified and tracked the evolution of Crypt888’s.

Tracking a threat

Crypt888, also known as MicroCop and Mircop, is one of the many ransomware strains discovered in 2016 and its evolution has been very specific. After analyzing various samples, we found that the wallpaper containing ransom instructions is the only part of Crypto888 that has changed.

The underlying AutoIt script has remained more or less the same in all the known versions of this strain. So too has the encryption algorithm, encryption key, file names, and various other components, which is not so usual. While this means our decryptor can rescue your encrypted files, it means that the way in which Crypt888 presents itself keeps changing. In the latest version, the instructions appear in Czech.

Changing the language in which the ransom message is delivered has been a hallmark of this particular threat. We tracked several evolutions of Crypt888 from its first appearance in June this year.

  • The ‘Guy Fawkes’ version, June 22, 2016: first known version of this ransomware
  • The ‘Business Card’ version, July 8, 2016: this version appears and looks like a test version as there are no payment instructions
  • The ‘Italian’ version, July 29, 2016: this version had several new features and the errors in the language suggest machine translation
  • The ‘Czech’ version, September 21, 2016: the latest variety appears in yet another language, again with errors suggesting the author is not a native speaker

The first encounter

The first known version of Crypt888 appeared as black wallpaper with the image of a Guy Fawkes mask, a notorious symbol usually associated with Anonymous. The message accused the victim of stealing 48.48 Bitcoins ($30,000) from ‘the wrong people’ and requesting its return.

The threat intimated there would be repercussions but there were no details about how to comply with repayment or how the decryption process would work after payment was made. This is probably the reason why we found only one transaction to the provided bitcoin address so far.

/var/www/now.avg.com/18.47.0/wp content/uploads/2016/10/crypt888 ransomware screenshot new

Testing, testing, 1 – 2 – 3

A few weeks later, we identified a second version. This time, the wallpaper with the story and related accusations were gone. In fact, there were no payment instructions at all and instead, the wallpaper contained the “business card” (as seen in this video).

We have no clear explanation why this particular image has been used but we think it was probably a test version based on a fact that there were no instructions or payment addresses provided to victims.

Just in case, however, we released a free Crypt888 decryption tool, which was able to recover files encrypted by both of this and the earlier version.

/var/www/now.avg.com/18.47.0/wp content/uploads/2016/10/crypt888 ransomware screenshot new2

The Italian affair

Three weeks later, we identified yet another version of Crypt888 which had multiple changes. While the AutoIt code was once again similar to the previous versions and the same algorithms used – so our decryption tool is still fully functional for this version –  the code was obfuscated.

There was a new image which contained ransom instructions in Italian, with typos and errors that suggest machine translation. In addition, this version of Crypt888 did not create the text file LEGGIMI.txt, which should contain the payment instructions. This means victims would find themselves left with encrypted files and no instructions as to how to recover them.

/var/www/now.avg.com/18.47.0/wp content/uploads/2016/10/cryptoware

Czech-mate

Malware researcher S!Ri identified this latest version one month after the Italian version. We investigated further and found its code is no longer obfuscated, and essentially, it’s the same as the first two versions with the wallpaper being the only notable difference.

These ransom instructions this time appear in Czech and are a departure from previous versions in terms of content. Firstly, the ransomware claims that it is a ‘Petya ransomware 2017’. But don’t be fooled – it is not. This is probably a maneuver to fool victims hit by Crypt888 that are trying to find a free fix online.

Petya is a much more sophisticated piece of ransomware and it is not decryptable at the moment. This is not the first time one ransomware strain has pretended to be another; we observed lesser known ones have masqueraded as a more famous one, such as TeslaCrypt, CryptoLocker, or CryptoWall on a number of occasions.

The Czech version also differs in that the ransom amount is ‘only’ 0.8 Bitcoin ($480 at the time of writing). The number reflects an apparent fixation with the digit ‘8’ as it is heavily used across the program: in the ransom amounts, the configuration of the encryption algorithm, the created file names, etc. That’s why we chose the name Crypt888 when we identified it.

Another change is that victims are threatened with a five-day deadline to pay, and two email addresses are provided for the victim to send proof of payment (and to receive the decryption tool, allegedly) yet no penalties are mentioned if the deadline is missed.

Finally, the authors hint in the text about the ransomware’s origin with the sentence which, when translated, means “We belong to Czech/Russian Hackers”. Based on the accuracy of the available text and code quality, it is hard to believe those claims, as it contains many typos, incorrect word order, odd mixtures of text with and without Czech diacritics, and other errors. More likely, the text was created by machine translation, like the Italian version.

/var/www/now.avg.com/18.47.0/wp content/uploads/2016/10/crypt888 ransomware screenshot new4

At the time of writing, we have not found any further language variants of this ransomware and can reassure people that our free decryption tool will work for all the versions described here.

We suspect the authors of Crypt888 are still producing new versions of their ransomware. Their technique is in contrast to authors of other ransomware families in that they focus primarily on changing graphics and preparing fake stories rather than on improving their code. We are continuing to monitor for any new variants that will make it necessary to adapt our decryption tool to ensure victims have a means to mitigate a Crypt888 attack.

Bart’s Shenanigans Are No Match for AVG

AVG has decrypted Bart. No, not that Bart—there’s one that’s much worse. AVG Virus Lab researchers have created an easy fix for restoring files that fell victim to Bart ransomware.

Ransomware, like mouthy, slingshot-wielding grade-schoolers, just won’t stop popping up. One of the latest, appropriately called Bart, spreads primarily through emails with subject lines about photos and images. Though relatively new, Bart’s already wrought havoc, encrypting and demanding payment for files’ release far beyond Springfield—in fact, all over the world. And just like the world-famous “The Simpsons” character, Bart creates chaos using simply effective tools, locking users’ files in password-protected ZIP files.

But you don’t have to be at Bart’s mercy any longer. AVG has created a decryption tool for current Bart versions to add to our growing list of decryptors, which you can easily use to foil hackers and keep yourself and your information safe.

 

How Will You Know Bart if You See It?

Bart ransomware appears to be the work of the same criminals behind Dridex and Locky. Rather than rewriting files with their encrypted versions, as Dridex and Locky do, Bart moves each file to a separate password-protected archive (ZIP file), then deletes the originals. But the results for the unwitting computer user are the same: no access to their own files … unless they pay a ransom.

Fortunately, Bart’s easy to identify. Infected machines include the bart.zip extension on original file names—for example, thesis.docx.bart.zip. Furthermore, the desktop wallpaper is usually changed to an image like this one:

/var/www/now.avg.com/18.47.0/wp content/uploads/2016/07/bartimage

The text on this image can also be used to help identify Bart, as it ‘s stored in files called “recover.bmp” and “recover.txt” on the victim’s desktop.

 

You Can Get Your Files Back—Easy as 1, 2, 3!

The encrypted files are also easy to recognize, because they’re ZIP archives, denoted by .zip  extensions. The trick is they’re password-protected, by a unique (and looong) password.

But never fear, AVG’s Bart decryptor works by comparing a single encrypted file with its unencrypted original. So before you download and run the tool, select an available original file for comparison, then follow these simple instructions:

  1. Select the file you want to compare. If all your files have been encrypted, you can often find an original in one of these places:
    1. A backup from the cloud or on a flash drive or other external drive.
    2. standard Windows sound or picture (e.g. wallpaper), which you can download from the web.
    3. A document, picture, or video you received in an email./var/www/now.avg.com/18.47.0/wp content/uploads/2016/07/bartimage1
  2. Copy the file to your desktop (Bart no longer encrypts files after asking you for money, so you should be okay) and download and run the Bart decryptor.
    1. A window will open asking you to add the encrypted file and the original (see Figure 2). The encrypted file should be in its original folder, the only difference being the “.bart” extension, as below.
  3. Once you’ve selected both files, click <NEXT>, and the tool does the rest, just as do all our decryptors.

 

Acknowledgement

We would like to thank Peter Conrad, author of PkCrack, who hereby granted permission to use his library in Bart decryptor. It takes a village.

Don’t pay the Ransom! AVG releases six free decryption tools to retrieve your files

Ransomware has proven very lucrative for criminals. Many have extended their “business” models by adding ransomware to their malicious catalog. To help prevent personal data and files being held hostage by cybercriminals, we have previously, advised on how to avoid ransomware infections, and what to do if your files have already been held to ransom. In that article, we stated that:

“Many ransomware families contain weaknesses in their encryption algorithm, which may lead to decrypting your files even without paying the ransom! It may take some time to spot and exploit such weaknesses, but in the meantime don’t delete your encrypted files; there may still be hope.”

And now there is hope. With our new tools, you should be able to recover your files without paying the ransom.

Using the Ransomware Decryption Tools

Our new free tools are for the decryption of six current ransomware strains: Apocalypse, BadBlock, Crypt888, Legion, SZFLocker, and TeslaCrypt.

To use, follow our simple four step process to unlock your files:

  1. Run a full system scan on the infected PC.
  2. (Optional) Back-up the encrypted files on their own flash drive, so they can then be transferred to another PC for decryption.
  3. Identify which infection strain encrypted your files. See the descriptions of each strain below. If your ransomware infection matches the strain details, download the appropriate tool and launch it.
  4. The tool opens a wizard, which breaks the decryption process into several easy steps:

Follow the steps, and you should again be able to reclaim your files in most cases. After decryption, be sure to securely back up restored files on a flash drive or in the cloud.

Apocalypse

The Apocalypse ransomware appends “.encrypted”, “.locked”, or “.SecureCrypted” to names of encrypted files (e.g. example.docx.encrypted, example.docx.locked, example.docx.SecureCrypted). It also creates ransom messages in files with extensions “.How_To_Decrypt.txt”, “.README.Txt”, or “.Contact_Here_To_Recover_Your_Files.txt” (e.g. example.docx.How_To_Decrypt.txt, example.docx.README.Txt, or example.docx.Contact_Here_To_Recover_Your_Files.txt).

In those messages, you can find contact addresses such as [email protected], [email protected], [email protected], or [email protected]. For example:

We prepared two separate decryption tools for this strain: one for the early versions of Apocalypse and the other one for the current version:

http://files-download.avg.com/util/avgrem/avg_decryptor_Apocalypse.exe

http://files-download.avg.com/util/avgrem/avg_decryptor_ApocalypseVM.exe

BadBlock

BadBlock does not rename encrypted files. You can identify BadBlock by the ransom message named “Help Decrypt.html” and by the red windows with ransom messages, like the following ones:

The BadBlock decryption tool can be found here:

http://files-download.avg.com/util/avgrem/avg_decryptor_BadBlock32.exe

http://files-download.avg.com/util/avgrem/avg_decryptor_BadBlock64.exe

Crypt888

Crypt888 (aka Mircop) creates encrypted files with the prepended name “Lock.” (e.g. Lock.example.docx). It also changes your desktop’s wallpaper to the following image:

Unfortunately, Crypt888 is a badly written piece of code, which means some of the encrypted files or folders will stay that way, even if you pay the fine, as their “official decryptor” may not work.  The AVG decryptor can be found here:

http://files-download.avg.com/util/avgrem/avg_decryptor_Crypt888.exe

Legion

Legion encrypts and renames your files with names like “example.docx[email protected]$.legion”. It also changes the desktop wallpaper and displays a warning about your encrypted files:

Note: Don’t be confused by another ransomware strain that renames files to a similar name – “[email protected]”. It is NOT the same strain and it cannot be decrypted by this tool.

The decryptor is available here:

http://files-download.avg.com/util/avgrem/avg_decryptor_Legion.exe

SZFLocker

The name of this ransomware originates from a string that is appended to the names of encrypted files (e.g. example.docx.szf). The original files are rewritten with the following Polish message:

The decryptor for SZFLocker is available here:

http://files-download.avg.com/util/avgrem/avg_decryptor_SzfLocker.exe

TeslaCrypt

Last but not least, we prepared a decryptor for the infamous TeslaCrypt. This tool supports decryption of files encrypted by TeslaCrypt v3 and v4. The encrypted files come with different extensions, such as .vvv, .micro, .mp3, or with the original name only. It also displays a message like the following:

The decryptor can be found here:

http://files-download.avg.com/util/avgrem/avg_decryptor_TeslaCrypt3.exe

Conclusion

At AVG, we take ransomware threats very seriously. Be proactive by using multilayered protection, such as AVG Antivirus Pro, which detects and removes ransomware. Adding  decryption tools is a last resort for when your files are already encrypted by ransomware and you need to get your valuable data back.

Ransomware on the rise – how to protect your devices and data

Dozens of active ransomware variants such as TeslaCrypt, Locky and Crypt0L0cker continue to extort victims daily. And Ransomware-as-a-Service threatens to make matters worse.

Ransomware – you will not find a more frequently used word in the antivirus industry in these past few months. AVG’s viruslab have analysed dozens of different ransomware “families” in that time.

Based on the number of new unique samples per day, it seems that the ransomware trend is steadily increasing.

Some ransomware families appear to have been created by amateur programmers eager to earn easy money (Radamant, LeChiffre, or Hidden-Tear derivatives, just to name a few), while others are developed by professionals and operated by cyber gangs (e.g. CryptoWall).

At present, the most active families are TeslaCrypt, CryptoWall, and Crypt0L0cker (aka TorrentLocker) with each of these families spreading in multiple ways. The most common infection methods are via exploit kits and phishing emails (as links or attachments).

We’ve noticed many different approaches to creating ransomware, such as the programming language used. While C, C++, C#, and Delphi are very popular among malware authors in general, we have seen ransomware created in JavaScript, Java, and even purely in Windows .bat files.

More worryingly, we have identified “Ransomware-as-a-Service” offerings that are threatening to make things much worse. These often Tor-hosted (anonymous) websites make it possible to generate custom ransomware with just a few clicks – in return for a share (5-20%) of future earnings, i.e. ransom revenue.

But it’s also the brazen attitude and apparent confidence of some ransomware authors that is disturbing. We have found the Nanlocker ransomware contains a now famous (and very unfortunate) statement that was made by a member of the FBI at a security conference.

How to protect your computers and networks against ransomware.

  1. Don’t trust any links or attachments in email – this remains the most common way that ransomware takes hold. If you weren’t expecting the email, do not open it. If unsure, always seek a second opinion from a tech savvy friend – or just delete the email.
  2. Keep your software and operating system updated. Ransomware is targeting not only Windows, but also Linux (e.g. Linux.Encoder) and even Mac.
  3. Uninstall unused or notoriously vulnerable applications – for example, if you don’t need Adobe Flash Player, remove it and any other applications you’re not using. Stick to the minimum.
  4. Use the latest protection software. AVG Internet Security is great choice because it offers multiple layers of protection – we take the ransomware threat very seriously, and our software is capable of detecting the ransomware families mentioned earlier, plus more.
  5. Backup your files regularly and don’t forget to keep your backup media disconnected from your PC. Otherwise, your backups might get encrypted as well. This also applies to cloud storage and network drives (e.g. Dropbox, Google Drive).

What if it’s too late, and your files are already being held to ransom?

  1. If your files have already been encrypted by ransomware, the most important thing is to stay calm.
  2. You should immediately contact technical support (e.g. your IT department, your AV vendor) for further assistance, if available to you.  You need to seek expert advice as early as possible.
  3. We strongly advise against paying the ransom. You’ve got no guarantee from the criminals that your files will be restored. And, if every ransomware victim refused to pay the ransom, this type of crime would quickly reduce in occurrence.
  4. It is quite possible that the decryption key is still located in the computer. Many ransomware families contain weaknesses in their encryption algorithm, which may lead to decrypting your files even without paying the ransom! It may take some time to spot and exploit such weaknesses, but in the meantime don’t delete your encrypted files, there may still be hope. (so call tech support). 

Weather Forecast for Today? Advert Flood Coming from East

Despite blocking efforts, online advertising is a daily part of our lives. Most of us get used to the large volume of adverts displayed daily, but authors of malicious code are trying to push the limits much further nowadays via advert-injection techniques used in malware threats.

Spreading

In this post, we present a case study of one such malware that we detected via our AVG Identity Protection (IDP) component. Based on our telemetry, this infection is highly active and it is reaching its maximal peak. The most affected countries are the United States and Germany, followed by Saudi Arabia and the United Arab Emirates.

Countries most affected by spreading of this adverts-injection campaign (Jun-Sep 2015).

Behaviour of This Threat

The user infection starts while installing an application proclaimed by its authors as a “Weather Forecast Application”. However, once installed, this application silently downloads and installs other components that are purely malicious – this threat tries to infect all installed browsers and inject additional adverts in browser pages. It also periodically loads sets of adverts in the background without user notification. As a side-effect, it sacrifices security and performance of the infected systems for the purpose of making money via ad providers.

Injecting adverts in visited pages.

Flood of pop-up windows.

Detailed Analysis

Details about this threat are described in the following technical analysis.

You can also download the report now.

Stay Safe

AVG customers are protected against this threat via our multi-level protection in AVG Internet Security. If you’re not protected, you might want to check your systems using the indicators of compromise (IOC) listed in the aforementioned technical analysis.

Banking Trojan Vawtrak: Harvesting Passwords Worldwide

Over the last few months, AVG has tracked the rapid spread of a banking Trojan known as Vawtrak (aka Neverquest or Snifula).

Once it has infected a system, Vawtrak gains access to bank accounts visited by the victim. Furthermore, Vawtrak uses the infamous Pony module for stealing a wide range of login credentials.

While Vawtrak Trojans are not new, this particular sample is of great interest.

 

How and where is it spreading?

The Vawtrak Trojkan spreads in three main ways:

  • Drive-by download – in the form of spam email attachments or links to compromised sites
  • Malware downloader – such as Zemot or Chaintor
  • Exploit kit – such as Angler

Based on our statistics, the Czech Republic, USA, UK, and Germany are the most affected countries by the Vawtrak campaigns this year.

Countries most affected by the spreading of Vawtrak in Q1 2015.

 

What are the features of this Vawtrak?

This Vawtrak sample is remarkable for the high number of functions that it can execute on a victim’s machine. These include:

  • Theft of multiple types of passwords used by user online or stored on a local machine;
  • Injection of custom code in a user-displayed web pages (this is mostly related to online banking);
  • Surveillance of the user (key logging, taking screenshots, capturing video);
  • Creating a remote access to a user’s machine (VNC, SOCKS);
  • Automatic updating.

Of particular interest from a security standpoint is that by using Tor2web proxy, it can access update servers that are hosted on the Tor hidden web services without installing specialist software such as Torbrowser.

Moreover, the communication with the remote server is done over SSL, which adds further encryption.

This Vawtrak sample also uses steganography to hide update files inside of favicons so that downloading them does not seem suspicious. Each favicon is only few kilobytes in size, but it is enough to carry a digitally signed update file hidden inside.

 

Detailed analysis

Our complete analysis of this malware is too long to publish in full on this blog so we have prepared a detailed white paper that describes this infection, its internals and functions in detail.

 

You can also download the report here

 

Stay Safe

While this Vawtrak Trojan is very flexible in functionality, it’s coding is mostly basic and can be defended against. At AVG, we protect our users from Vawtrak in several ways:

  • AVG LinkScanner and Online Shield provide real-time scanning of clicked links and web pages containing malicious code.
  • AVG Antivirus for generic detection of malicious files and regular scans.
  • AVG Identity Protection, that uses a behavioral-based detection, will detect even the latest versions of such infections.
  • AVG Firewall prevents any unsolicited network traffic, such as communication with a C&C server.