Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

August 20th, 2013

No problem bro – ransom decryption service

If thieves gain control of sensitive personally identifiable information (PII) on your computer, your identity can be stolen.  Information such as your social security number, driver’s license number, date of birth, or full name are examples of files that should be encrypted.  Confidential business data like individual customer information or intellectual property should also be encrypted for your safety.

In this blog post we will look at a service offering file decryption. This service helps you to decrypt files which were previously encrypted. But this is no helpful ‘Tips and Tricks’ blog for people who forgot the password to their documents and ask for help recovering it. Although breaking weak passwords is quite possible, specializes in a different type of service.


The ‘No problem bro’ mission statement is not very concrete.  The enigmatic text says, “If you are here, you must know what type of service we are providing.” They boast about offering an “individual approach”.  The sentence, “You pay only after providing the job (this could be screenshots or part of the documents)”, tells us that the decryption service has something to do with “documents”. In order to stay completely anonymous, the only accepted payment methods are via bitcoin (BTC) or webmoney (WMZ).

Who might be interested in such a service? Let’s consider the following scenario. A computer user receives an email with an attachment. The attachment contains a document, supposedly a PDF file. After closer inspection, we discover that the attachment is not a PDF file; it is an executable file with the same icon as a PDF file. Unaware of this, the user executes this attachment. A decoy PDF document opens. However, something more important is happening in the background.


The only visible action of the file is dropping and opening the decoy PDF file. The file contains the resume of a Russian woman. We do not know whether this resume is real or not, but personal information is sensitive information and, generally, people are curious to know more about other people :-). While reading the resume, people may tend to pay less attention to the more frequent disc churning. The reader will get to know where she comes from, her marital status, number of children, phone number, email, education, working history, and minimum salary requirements.

Soon after the decoy document is displayed and the user is busy reading it, malware gets the computer’s name and compares it with several hardcoded names used by various antivirus companies in their automated malware analyzers. If any of these names are found, the malware exits.

It also checks the internet connection and the IP address of the current computer. If no internet connection is available or if the IP address belongs among several blacklisted IP addresses, it also stops working. At last it checks the registry values for a few strings identifying virtual machines and if found, it exits.

If all previously mentioned checks are passed, the malware calls home and downloads a password encrypted .RAR archive from the website. This link is the first connection to the decryption service website.

It uses a regular RAR.exe program (bundled with the main binary file) and hardcoded password(GranulaSupa17) to extract the payload from the archive. Later it gets executed.
The downloaded binary provides the encryption. First, it initializes crypto library to Blowfish in CTR mode.


Then it randomly generates a password which will be used for encryption. This password contains 15 groups of characters, each group consists of 1-3 digits (numbers from interval 0-899) followed by 3 characters with ASCII codes from 0×21 to 0x7d. The length of the password can therefore be anything from 60 to 90 characters. These conditions give us (900 * 0x5d^3)^15 = 7.85 * 10^132 possible keys. An example of a generated key is in the figure below.


After the key is generated, the malware tries to contact its authors and send email containing the key and a random 7-digit ID. If the email is sent successfully, the encryption begins.

It scans through all available removable, fixed, and remote drives.

Files with .bak and .tib extensions are deleted, other files are added .kraken extension and encrypted. The .bak filename extension is used by programs to make backups of documents. The .tib is disk imaging file for Acronis True Image backup and recovery program. Most of the common types of document files, pictures, sounds, videos, etc. are included. A list of all affected file formats is in the figure below.


The file KRAKEN.txt is copied into each directory.


This file has the following contents. It asks the victim to contact the decryption service via email. A victim is put under time pressure. It is stated that after 48 hours the key should be deleted and no recovery will be possible.



The random key used for encryption is very long and there is no chance that current computers could simply break the encryption by brute force attack. However, there are two possibilities which (under certain conditions) may help to recover some of the encrypted data.

Firstly, the malware uses kernel32!DeleteFile function to delete files in the compromised computer, so there should be a chance do recover some of the deleted files. When a file is deleted from the hard drive, the only thing which is really deleted is a bit of information which tells the operating system where the file is located on the disc. The file itself actually stays on the disc, but the operating system considers it as a free place. This is true until the operating system overwrites it with another file. Some files could be recovered with specialized software provided that the operating system did not overwrite the freed place with anything else.

Secondly, if the computer is behind a proxy and the proxy logs all the communication, it would be possible to retrieve the key from these logs. With a known key it would be possible to re-implement the encryption/decryption algorithm and recover all the data.

Generally, computer users are advised to make regular backups of their important files. If a situation as described in this blog post occurs, the user simply deletes the virus from his computer, deletes all encrypted files and recovers the original files from the backup. avast! BackUp can help you backup all your important files.  Try it free for 30 days.

Avast! detects these samples as Win32:Ransom-AOQ and blocks domain.














Decoy PDF file


Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun, and contest information, please follow us on FacebookTwitterGoogle+ and Instagram.

Categories: analyses, Virus Lab Tags: , ,
Comments are closed.