Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

August 20th, 2013

No problem bro – ransom decryption service

If thieves gain control of sensitive personally identifiable information (PII) on your computer, your identity can be stolen.  Information such as your social security number, driver’s license number, date of birth, or full name are examples of files that should be encrypted.  Confidential business data like individual customer information or intellectual property should also be encrypted for your safety.

In this blog post we will look at a service offering file decryption. This service helps you to decrypt files which were previously encrypted. But this is no helpful ‘Tips and Tricks’ blog for people who forgot the password to their documents and ask for help recovering it. Although breaking weak passwords is quite possible, noproblembro.com specializes in a different type of service.

01-noproblembro

The ‘No problem bro’ mission statement is not very concrete.  The enigmatic text says, “If you are here, you must know what type of service we are providing.” They boast about offering an “individual approach”.  The sentence, “You pay only after providing the job (this could be screenshots or part of the documents)”, tells us that the decryption service has something to do with “documents”. In order to stay completely anonymous, the only accepted payment methods are via bitcoin (BTC) or webmoney (WMZ).

Who might be interested in such a service? Let’s consider the following scenario. A computer user receives an email with an attachment. The attachment contains a document, supposedly a PDF file. After closer inspection, we discover that the attachment is not a PDF file; it is an executable file with the same icon as a PDF file. Unaware of this, the user executes this attachment. A decoy PDF document opens. However, something more important is happening in the background.

02-resume_0

The only visible action of the file is dropping and opening the decoy PDF file. The file contains the resume of a Russian woman. We do not know whether this resume is real or not, but personal information is sensitive information and, generally, people are curious to know more about other people :-). While reading the resume, people may tend to pay less attention to the more frequent disc churning. The reader will get to know where she comes from, her marital status, number of children, phone number, email, education, working history, and minimum salary requirements.
03-resume
04-vladiv

Soon after the decoy document is displayed and the user is busy reading it, malware gets the computer’s name and compares it with several hardcoded names used by various antivirus companies in their automated malware analyzers. If any of these names are found, the malware exits.

05-antivbox01
It also checks the internet connection and the IP address of the current computer. If no internet connection is available or if the IP address belongs among several blacklisted IP addresses, it also stops working. At last it checks the registry values for a few strings identifying virtual machines and if found, it exits.
06-ips

If all previously mentioned checks are passed, the malware calls home and downloads a password encrypted .RAR archive from the noproblembro.com website. This link is the first connection to the decryption service website.
07-download01

It uses a regular RAR.exe program (bundled with the main binary file) and hardcoded password(GranulaSupa17) to extract the payload from the archive. Later it gets executed.
08-download02
The downloaded binary provides the encryption. First, it initializes crypto library to Blowfish in CTR mode.

09-crypto01

Then it randomly generates a password which will be used for encryption. This password contains 15 groups of characters, each group consists of 1-3 digits (numbers from interval 0-899) followed by 3 characters with ASCII codes from 0×21 to 0x7d. The length of the password can therefore be anything from 60 to 90 characters. These conditions give us (900 * 0x5d^3)^15 = 7.85 * 10^132 possible keys. An example of a generated key is in the figure below.

10-crypto02

After the key is generated, the malware tries to contact its authors and send email containing the key and a random 7-digit ID. If the email is sent successfully, the encryption begins.
11-crypto03

It scans through all available removable, fixed, and remote drives.
12-driveTypes

Files with .bak and .tib extensions are deleted, other files are added .kraken extension and encrypted. The .bak filename extension is used by programs to make backups of documents. The .tib is disk imaging file for Acronis True Image backup and recovery program. Most of the common types of document files, pictures, sounds, videos, etc. are included. A list of all affected file formats is in the figure below.

13-crypto04

The file KRAKEN.txt is copied into each directory.

14-kraken

This file has the following contents. It asks the victim to contact the decryption service via email. A victim is put under time pressure. It is stated that after 48 hours the key should be deleted and no recovery will be possible.

15-message

 

Conclusion:
The random key used for encryption is very long and there is no chance that current computers could simply break the encryption by brute force attack. However, there are two possibilities which (under certain conditions) may help to recover some of the encrypted data.

Firstly, the malware uses kernel32!DeleteFile function to delete files in the compromised computer, so there should be a chance do recover some of the deleted files. When a file is deleted from the hard drive, the only thing which is really deleted is a bit of information which tells the operating system where the file is located on the disc. The file itself actually stays on the disc, but the operating system considers it as a free place. This is true until the operating system overwrites it with another file. Some files could be recovered with specialized software provided that the operating system did not overwrite the freed place with anything else.

Secondly, if the computer is behind a proxy and the proxy logs all the communication, it would be possible to retrieve the key from these logs. With a known key it would be possible to re-implement the encryption/decryption algorithm and recover all the data.

Generally, computer users are advised to make regular backups of their important files. If a situation as described in this blog post occurs, the user simply deletes the virus from his computer, deletes all encrypted files and recovers the original files from the backup. avast! BackUp can help you backup all your important files.  Try it free for 30 days.

Avast! detects these samples as Win32:Ransom-AOQ and blocks noproblembro.com domain.

SHAs:

Downloader

42520391E8D96FBE4DC66A0D5E550F6F8ABD416996089662AFE73C0CE01477D6

8F63981B19692CB22D75598E9F6752CCB4C7C5BA1FC06989766ACD713A87ED79

3764B755A226DB5D9410C4745BABE819C1054103A0C271BEC967E97AE6110267

58DBEF7B8A105DB471FD22CA4E4AB7F76BD616DF765EA0595EBD71FACF2F96E1

8B3711ACF6EAF7E1AA7697E3FCD235D07865FA5C1C4E4502AF17C978F85FFF64

8CEFA8957280561B3D8032F9B0B67CF0AA3948C236C7FAC1F7BDA2FD3E470FFB

98A45651A98F87739F889128AC3EFA1ABFC9C928381E578F6BA502705C80FF41

 

Encryptor

9E016B50C2B522CBBBC144CFB70E3D8886D3691654673B58C4E6C450749DE568

 

Decoy PDF file

902D1C5CDDBB646E826F6FA1F713E38C05DBC6FB29DCCE07A201A5782B595927

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun, and contest information, please follow us on FacebookTwitterGoogle+ and Instagram.

Categories: analyses, Virus Lab Tags: , ,
Comments are closed.