Page 1 of 3

Win32/Harasom (File Encrypting Ransomware)

Posted: Thu May 16, 2013 1:37 am
by Cody Johnston
Hello,

Please merge this post if a topic including this type of ransomware already exists. I have seen this on a couple of customers computers over the last few days. This ransomware encrypts doc, pdf, jpg, rar, zip, etc and makes them all html files. Attached is a sample of one of the files.

It directs to the following site:

hxxp://mdlblock.in

Uses a UID from the PC as an argument when connecting to the page and displays content only when the UID is given.

I do not have a sample of the dropper yet, I'll post one as soon as I find it.

Here is a screenshot of what the user sees when attempting to open a file:

Image

Code: Select all

Domain ID:D7317677-AFIN
Domain Name:MBLBLOCK.IN
Created On:08-May-2013 17:06:06 UTC
Last Updated On:08-May-2013 17:06:07 UTC
Expiration Date:08-May-2014 17:06:06 UTC
Sponsoring Registrar:Webiq Domains Solutions Pvt. Ltd. (R131-AFIN)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:WIQ_27797905
Registrant Name:Gerald Minhelm
Registrant Organization:N/A
Registrant Street1:176 reroad
Registrant City:Vegas
Registrant State/Province:LA
Registrant Postal Code:15781
Registrant Country:US
Registrant Phone:+1.1005520281
Registrant Email:g.minhelmmm@gmail.com
VT for the URL: https://www.virustotal.com/en/url/87132 ... /analysis/

Re: File Encrypting Ransomware

Posted: Thu May 16, 2013 9:33 am
by Xylitol
awkward
Image

Code: Select all

hxtp://mblblock.in/files/
hxtp://mblblock.in/pic/
hxtp://mblblock.in/style/
hxtp://mblblock.in/webstat/
hxtp://mblblock.in/modal/
hxtp://mblblock.in/i.php?uid={C22AEF4D-9122-8825-42A7-E0BFA1DD7EC5}
hxtp://mblblock.in/i.php?uid={D4D05D49-6B2D-881A-3082-D4DED9344AAB}
hxtp://mblblock.in/i.php?uid={1E475F6C-BD09-881A-8396-473D4CB1D947}
hxtp://mblblock.in/i.php?uid={CEF4D8C3-4285-881A-ABAB-D1F060964F8A}
hxtp://mblblock.in/core.php
hxtp://mblblock.in/time.php
hxtp://mblblock.in/func.php
hxtp://mblblock.in/step2.php
hxtp://mblblock.in/lang/en.php
hxtp://mblblock.in/lang/de.php
hxtp://mblblock.in/lang/es.php
hxtp://mblblock.in/lang/ca.php
hxtp://mblblock.in/lang/au.php
hxtp://mblblock.in/lang/gb.php
hxtp://mblblock.in/lang/at.php
hxtp://mblblock.in/lang/be.php
hxtp://mblblock.in/lang/ag.php
hxtp://mblblock.in/lang/mx.php
hxtp://mblblock.in/gate/soft.php
hxtp://mblblock.in/gate/core.php
hxtp://mblblock.in/gate/gate.php
https://www.virustotal.com/en/ip-addres ... formation/

Edit 17 may 2013: Gotcha !
sample in attach.
http://www.virustotal.com/file/e7818de3 ... 368756414/

Re: File Encrypting Ransomware

Posted: Fri May 17, 2013 2:06 pm
by Dany3j
Some way to decrypt the files?

Re: File Encrypting Ransomware

Posted: Sat May 18, 2013 12:36 am
by reverser
For the sample posted by Xylitol, encryption seems to be RC6 and the key is:

Code: Select all

yrw^%$74@0(99GHJGK**&(^867*&^en2evwqevvnfd^&*^*&^$#$#@)**bnmccn
(64 bytes including the trailing 0)

Not sure yet if the key changes per client, but it doesn't look very random so probably the guy typed it manually.

EDIT: ah, it seems there's an additional scrambling applied to the file. If you upload one of the encrypted files, I can check if it can be decrypted.

Re: File Encrypting Ransomware

Posted: Sat May 18, 2013 3:38 am
by Dany3j
@reverser Is the key different for every client?


I am attaching a sample files, original and encrypted. I used he sample posted by Xylitol.

Re: File Encrypting Ransomware

Posted: Sat May 18, 2013 6:33 pm
by reverser
Here's the decryptor, source and precompiled. Works on the posted files.

Re: File Encrypting Ransomware

Posted: Sat May 18, 2013 10:32 pm
by Fabian Wosar
A more user friendly decrypter is available here as well:

http://tmp.emsisoft.com/fw/decrypt_mblblock.exe

It will automatically detect the encrypted malware files and tries to recover the file names as well. My thanks go to both Xylitol for the actual malware sample and reverser for noticing the file size limitation that I completely missed and wondered why it didn't work properly for some files ;).

Re: File Encrypting Ransomware

Posted: Sun May 19, 2013 3:08 am
by Dany3j
Thank you, very good job.

Re: File Encrypting Ransomware

Posted: Sun May 19, 2013 9:09 am
by ElPiedra
Nice work Favian !!!

Guide for using Decrypt_MBLblock in Spanish:
http://www.forospyware.com/t460439.html



Salu2

Re: File Encrypting Ransomware

Posted: Sun May 19, 2013 7:19 pm
by Quads
Hmmmmm

Does the Spamhaus Agent XML advisory with the encryption adding .html to the end use the same encryption as this one (MBL advisory) I wonder.

Quads