A few days ago at PandaLabs, Panda Security’s anti-malware lab, we discovered a type of ransomware that we believe is extremely important to talk about, especially because of its novelty and its unique features. The name of this new ransomware is CryptoBit.
If we compare it to what we’ve learned thus far from other ransomware, we can say that CryptoBit is a one-of-a-kind specimen. It’s different from other ransomware for many reasons, one of the main differences being the message that appears instructing the victim to rescue their files. Its additional features will be revealed in this article.
This report focuses on the analysis of the following sample:
This sample is protected thanks to a “packer”. After “unpacking” it, we can notice that, in addition to a date of recent compilation (April 5, 2016 at 12:20:55 PM), there is a total lack of strings, evidence that the author of CryptoBit wished to hinder the analysis of your code, by any and all means.
After analyzing the data provided by Panda Security’s “collective intelligence systems”, it is possible to determine the vector that was used to distribute CryptoBit is being used by the “Exploits Kits” that affect different web browsers.
We can more accurately determine the basic way CryptoBit works:
The first thing CryptoBit does is check the keyboard’s configured languages. If the keyboard is configured with one of the following codes: 0x1a7, 0x419 (Russian) or 0x43f (Kazakh), the program does not end up encrypting any file.
After making sure that the keyboard is not in their blacklist, CryptoBit goes to all local disk drives, network folders, and removable drives (USB), searching for files containing any of the intended extensions. What is its objective? To encrypt the entire contents of the file (another unusual feature) in order to request their rescue later on.
In particular, CryptoBit is interested in the following file extensions:
ods crp arj tar raw xlsm prproj der 7zip bpw dxf ppj tib nbf dot pps dbf qif nsf ifx cdr pdb kdbx tbl docx qbw accdb eml pptx kdb p12 tax xls pgp rar xml sql 4dd iso max ofx sdf dwg idx rtf dotx saj gdb wdb pfx docm dwk qba mpp 4db myo doc xlsx ppt gpg gho sdc odp psw psd cer mpd qbb dwfx dbx mdb crt sko nba jpg nv2 mdf ksd qbo key pdf aes 3ds qfx ppsx sxc gxk aep odt odb dotm accdt fdb csv txt zip
Once the process of file encryption has begun, the user can see a window on their computer similar to the one show below:
In this message we see some details that draw our attention and which can be used to classify this new type of ransomware:
ID shown as “58903347”
In the number shown for the analyzed sample, this value is always the same. It does not matter if you run this Malware repeatedly, or if you do it on different devices. This suggests that we will find ourselves with an ID of ransomware rather than a particular user (or computer).
The number of bitcoins you have to pay
In general, the required amount of Bitcoins are fixed, or have a limit. In this specific example, we see that the author (or authors) are requesting a bailout that is a little excessive.
How to get in contact with “them”
The user is not able to contact the hacker through a web server accessible via a URL, and they do not ask the user for anything in particular, at least they don’t at this exact moment.
They ask the user to contact them with using an email address that seems untrustworthy (ex. email@example.com). If the victim does not receive a response, they can also contact the hacker using an application called “Bitmessage”, a branch of another application that can be found in “GitHub”.
Additionally, if this message is not enough to convince them that their files have been encrypted, each time that this folder is accessed with one of these (now) indecipherable files, the user will discover a couple of extra files that were created intentionally:
If we take a look at this file we will find the same message (this time in text format) that is shown to the user after their files are encrypted.
In this second file we see a hexadecimal sequence with a length of 1024 which, once decoded, will correspond to a binary sequence of 512 bytes (or 4096-bits).
Later, in the “encrypted” section, it will show us the meaning of the file called “sekretzbel0ngt0us.KEY“, where encryption has been used to encrypt other files.
Another CryptoBit action that is visible to the user is an HTTP request that looks like:
Notice: the requested script “knock.php” does not exist.
Encryption of Files
Encrypting files to encrypt other files, in each run, CryptoBit generates the algorithm AES, or “Advanced Encryption Standard” (a random key of length 32 bytes or 256 bits), making it practically impossible to decrypt files unless this information known.
In order for us to not lose this key which allows us to decrypt files if the ransom is paid, the author of this ransomware, stores the generated AES key using the RSA algorithm.
The public key used is 4096 bits length and it is hardcoded in the analyzed sample.
Once the AES key has been encrypted with RSA, it will be stored in the files named “sekretzbel0ngt0us.KEY“, making it only comprehensible if there are corresponding RSA “private keys” (which in theory, would only be in the possession of the cypher’s author.)
In this section, we notice a specific detail: the absence of calls to the native libraries that encrypt files using the RSA algorithm. CryptoBit uses a series of statically compiled routines that allow you to operate with large numbers (“big numbers”), making it possible to reproduce the RSA encryption algorithm.
As we can see, this newly discovered ransomware phenomenon is not going out of style. We are finding new samples every day that still surprise us. In this specific case, we aren’t as shocked by the use of “serious cryptography” (AES + RSA), something that is more and more standardized, but we are amazed by the ambition behind it and can appreciate its good design and interesting ideas.
As always, keep your antivirus updated and make sure to back up your important files.
Analysis of CryptoBit by: Alberto Moro, Abel Valero and Daniel Garcia