An unusual new strain of ransomware makes good on its threat, doing what the majority of other varieties only claim to do. The Trojan actually encrypts data on infected machines, effectively rendering certain files inaccessible to users on compromised computers in order to block removal.
This veracious new version of the otherwise well-known police ransomware Trojan is unique but only in the sincerity of its promise. According to a report by Hynek Blinka on the AVG News and Threats blog, most ransomeware campaigns deploy a familiar warning, asserting that some crime has been committed by the user and that the user’s machine will remain locked down or encrypted until that user pays the fine associated with their transgression.
In most cases, the malware can be found and subsequently removed without paying the fine (which may or may not resolve the problem anyway). In this case however, Blinka has witnessed the Trojan encrypting images, documents and executables in an attempt to hinder any removal attempts. Whomever is responsible for the malware is not in the business of completely crippling machines, so Windows system files are not included in the forced encryption. Infected computers will still function for the most part, but data will be lost and many third-party programs will not work.
According to the report, upon execution, the malware randomly spawns either ctfmon.exe or svchost.exe and injects its own code there. The injected system process then reportedly executes a copy from the %TEMP% folder, creating ctfmon.exe or svchost.exe child processes with the injected code, which is apparently where things take a turn for the interesting.
First the malware generates a unique computer ID, then it uses that ID and the fixed string “QQasd123zxc” to produce an encryption key with crypto API functions like “advapi32!CryptHashData” and “advapi32!CryptDeriveKey” so that the attacker can create the same key each time he uses that string. Now the malware sends requests with the computer ID back to its command and control server, encrypting its communications on the server with the first key and allowing the Trojan to decrypt them on the infected computers.
Next, a second key is created using “advapi32!CryptGenKey.” Blinka explains that this function will create a random key each time it is used and cannot be recreated (unlike the first). From here, an RSA 2 blob is exported from the second key and encrypted by the first before being encoded by base64 and send back to the C&C server, paired in the attackers database with the computer ID.
Lastly, the list of files that the malware wants to encrypt is determined, and they are encrypted by “advapi32!CryptEncrypt” using the second key before the well-known ransom note shows up on a victim’s locked screen.
At this point, the attacker has the second key and could decrypt the encrypted files if he or she so desires. The malware also reportedly compounds its victim’s woes by disabling regedit, the task manager, and msconfig. AVG is detecting the virus as “Trojan horse Generic31.LBT” and identifying its MD5 as “51B046256DB58B603A27EBA8DEE05479.”