Win32/Harasom (File Encrypting Ransomware)

[Fabian Wosar]

Does the Spamhaus Agent XML advisory with the encryption adding .html to the end use the same encryption as this one (MBL advisory) I wonder.

Just checked out the sample as well as various files encrypted by the Spamhaus Agent XML variant and decryption should work just fine.

[Quads]

Does the Spamhaus Agent XML advisory with the encryption adding .html to the end use the same encryption as this one (MBL advisory) I wonder.

Just checked out the sample as well as various files encrypted by the Spamhaus Agent XML variant and decryption should work just fine.

Thanks

I will have to create a post on the forum with instructions on the Spamhaus thread after I upload the decrypt tool to a folder on my webspace as the forum does not allow direct downloads.

Quads

[jokotole]

Hello, i need the following sample

https://www.virustotal.com/en/file/146f ... /analysis/

Md5 : fee25602dd44c753af9790aa9bea3b47

SHA1 : 13b065309d87412132b59210a44c3edafe496341

Thank You and i'm sorry if this malware already been posted here

[Xylitol]

in attach

[Fabian Wosar]

It looks like there is a new variant going around at the moment. The encryption key or encryption method has changed. The HTML files also no longer redirect to a website but contain the entire ransom notice in form of a picture and a few carefully placed HTML elements:

Code: Select all

<html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><title>index</title></head><body><table width='1000' height='750' border='0' align='center' cellpadding='0' cellspacing='0' background='file:///C:\Users\makmass\AppData\Roaming\Video\pic3.jpg'><tr><td height='86' valign='bottom'><table width='793' border='0' cellspacing='0' cellpadding='0'><tr><td width='509'>&nbsp;</td><td width='284' align='left' style='font-size:14px; color:#FFF; font-weight:bold;'>evilevilmaxsokolov@yahoo.com</td></tr></table></td></tr><tr><td height='316' align='right' valign='bottom'><table width='212' border='0' cellspacing='0' cellpadding='0'><tr><td width='149' align='left' style='font-size:12px; color:#D34E53; font-weight:bold;'>evilevilmaxsokolov@yahoo.com</td><td width='66'>&nbsp;</td></tr></table></td></tr><tr><td height='46' align='right' valign='bottom'><table width='364' border='0' cellspacing='0' cellpadding='0'><tr><td width='270'><input name='textfield' type='text' id='textfield'   style='height:22px; width:270px;'/></td><td width='99'>&nbsp;</td></tr></table></td></tr><tr><td>&nbsp;</td></tr></table></body>

The resulting ransom note looks something like this:


Unfortunately I haven't found the actual malware sample yet as most victims I met so far already removed the infection. If someone comes across a sample though I would love to take a look at it .

[Fabian Wosar]

Found the sample. It's indeed a new Harasom variant as I first suspected. Detection rates:

https://www.virustotal.com/en/file/8b70 ... 371677082/

Encryption works identical to before, just the encryption key changed to "encryptkey1111111111111111111111". The packed and unpacked samples are attached. The decrypter has already been updated and is available here:

http://tmp.emsisoft.com/fw/decrypt_harasom.exe

The old decrypter URLs will continue to work as well.

[Flamef]

Found the sample. It's indeed a new Harasom variant as I first suspected. Detection rates:

https://www.virustotal.com/en/file/8b70 ... 371677082/

Encryption works identical to before, just the encryption key changed to "encryptkey1111111111111111111111". The packed and unpacked samples are attached. The decrypter has already been updated and is available here:

http://tmp.emsisoft.com/fw/decrypt_harasom.exe

The old decrypter URLs will continue to work as well.

Hi,
great job that you created so fast a tool to help the users.This shit looks really lame though,would like to ask if there is a password(unique/pc?) for the "Decrypt password" area to unlock the computer at first place?
P.S:The author of this proware kinda reminds me the ACCDFISA author( http://www.kernelmode.info/forum/viewto ... =16&t=1578 ).He used almost the same words.

[Fabian Wosar]

great job that you created so fast a tool to help the users.This shit looks really lame though,would like to ask if there is a password(unique/pc?) for the "Decrypt password" area to unlock the computer at first place?

It is quite lame, yeah. There might be a way to unlock the computer by supplying the correct unlock code. To be honest, I didn't bother to check as updating the decrypter was straight forward and I prefer to not use the decrypter supplied by the bad guys.

P.S:The author of this proware kinda reminds me the ACCDFISA author( http://www.kernelmode.info/forum/viewto ... =16&t=1578 ).He used almost the same words.

Well, the text reads similar. This malware however is more sophisticated than ACCDFISA is (yeah, those guys are still active). If this was done by the same people, you would see WinRAR being used for the actual encryption, as they wouldn't know how to do it themselves .

[Cody Johnston]

Have a new sample of Harasom. I left my dropbox running on my VM and lost half my files.... *facepalm* (there is no option to recover via dropbox.com either)

The decrypter that Fabian provided cleaned the infection but I assume it just needs a different key to properly decrpyt the files.

Inside the archive is the dropper and one of the encrypted files (A JRT log )

VT Low 2/41:

https://www.virustotal.com/en/file/50bc ... 373575418/

MD5: 149c4ac4ba0863607e033d6a5721fee7

[Fabian Wosar]

Yeah, it's a new variant alright. Encryption key changed to "Yhk86jMwnnskKNYne73NnsqkwHVWkkqn". Decrypter has already been updated and is available here:

http://tmp.emsisoft.com/fw/decrypt_harasom.exe

I attached the unpacked sample if anyone is curious.