An additional.. more of "copy paster evidence"
let's take a look into file restoring decryption, and AES key restoring decryption done by this ransomware.
You can see in the above last picture of my reversing pad here
function was called. If you trailed that function you will see that the decrypting process (for restoring the crypted files) is using the function called mbedtls_aes_setkey_dec
- it is a well known function to decrypt AES on the CBC crypt mode if you familiar with the Polar SSL
, since they are functions described in the mbedtls/pk.h
- So apparently the coder is copy pasting these codes for the ransomware decryption purpose.
Below is the reversing illustration (click to enlarge)
Those two calls that are significantly important for decrypting functions, the mbedtls_aes_setkey_dec
(0x4005db) is a decrypting AES function and by default is using the 128 bit length key (like what this ransomware used..default base setting of a pure copy-paste
) - and mbedtls_aes_crypt_cbc
(0x4005f9) that is explaining the CBC crypt method in AES is used.
Also in the above last picture here
in 0x400753 was stated the call to private_decrypt()
and following its trail you'll see the call for mbedtls_pk_decrypt()
with the purpose to decrypt the AES key for restoring encrypted files by this ransomware, by using the RSA private key. This function is also using Polar SSL source code used for decrypting an encrypted messages/communication, and it is supported to RSA keys with the default padding type PKCS#1 v1.5, and again, this is what the RSA specification used by these copy-paster
The flow of private key decrypting of the AES key used for restoring files, can be seen with commented reversing code below:
Understanding these methods is making us easier to seek a howto prevent and even the ways in cracking "the necessaries" to restore the crypted file. There are weaknesses in the scheme of this ransomware that can be used for it. I leave it to you all to provide mitigations.
Moreover, this is not the first time that open source codes were used by the criminal in a malware.. And this is a sample of bad result of too many ransomware concept and source codes that is openly shared in internet, there are more bad that good in sharing these kind of stuff openly.
@unixfreaxjp of MalwareMustDie - heil to fellow unix shell reversers
- thanks for cool aeim asm.emu/emuwrite from pancake - it worked well!