According to China-based Huorong security team, a number of users have recently reported experiencing a ransomware attack, where the attacker planted the ransomware via a backdoor virus.
A review and analysis of the samples shows that the ransomware is written in the Chinese programming language called EPL and encrypts the file with the character "_HD".
Unlike common ransomware, the ransomware does not leave any contact or ransom information but contains a reversible decryption algorithm and a provocative "I am ransomware, ask for reversible algorithm" message, and leaves some decryption clues.
Eventually, Huorong engineers succeeded in cracking the ransomware based on the decryption algorithm and clues therein.
While engineers perform traceability analysis of backdoor viruses, they also upgrade products to add defense rules and block the virus' transmission channels.
While analyzing and successfully decrypting the ransomware, the corresponding decryption tools were introduced
Huorong software (personal, enterprise) can now block and kill the above backdoor and ransomware viruses.
Decryption Tool Diagram
In addition, users also said that the virus author had even contacted him using QQ and directed him to send the extortion virus to Huorong forums for help.
Based on features such as Chinese chat logs, pop-up messages and EPL-compiled viruses, it's basically certain that it was done by the Chinese, and the purpose was not to obtain a decryption ransom, but to show off the technology and provoke users and security vendors.
In addition, it is not excluded that the author of the virus has followed the lead of the ransomware virus "WannaRen", also written by EPL, which broke out in early April.
In fact, since EPL is relatively easy to learn and fits into the Chinese language environment, it has been widely disseminated in China and is widely used.
At the same time, this has led to the gradual growth of some cases of using EPL to write ransomware and attack users, and even the "just for show, not for money" cases of ransom as described in this article.
Huorong will continue to monitor such ransomware and related cases, and will improve its defense rules to protect its users.
Once again, users are reminded that for most ransomware viruses, it is still impossible to decrypt unless the author provides a private decryption key (e.g. "WannaRen" ransomware).
In order to avoid losses caused by ransomware encryption, we should make frequent backups of important data, maintain good Internet habits, do not arbitrarily install and use unofficial software, do not click on unfamiliar emails, attachments and links, timely repair system vulnerabilities, and install qualified security software.
Annex: [Analytical report]
A detailed analysis
We've talked about hackers dropping blackmail viruses through backdoor viruses that encrypt user data files. Even more bizarrely, the author of the virus left a string of "I'm blackmailing for a reverse algorithm".
And in the process of trying to decrypt, we found that of the 8 bytes of random data used to decrypt, the virus author deliberately recorded only 4 of them in the file where the private key is located, the remaining 4 bytes need to be obtained by violent cracking.
The relevant data are shown in the following figure.
The ransomware virus is released to a file called TRAE.exe in the directory where the backdoor virus is located. After execution, the ransomware virus encrypts the data file using the DES algorithm and stores the randomly generated DES key in the encrypted file using ECC (Elliptic Curve Cryptography).
The directory of encrypted data files is shown in the following figure.
Directory of encrypted files
Explanatory paper on extortion
Unlike previous ransomware viruses, the ransomware virus encrypts user files and leaves no payment address for the ransom payment. In cases where the user does not have security software installed, the virus author offers to let the user find a security vendor to decrypt it.
And over a period of time, we have received multiple user questions related to this ransomware in a row. The screenshots related to the user feedback situation are shown below.
The blackmail virus will randomly generate the ECC private key and public key, then the virus code will be ECC private key and ECC private key CRC32 splicing, and then after mixed sequence (mixed sequence based on 8 bytes of random data MD5 value) and different or (different or key random) encryption will finally be written to the "ECC encryption.log" file. The user file data is encrypted by DES algorithm, the DES key used for encryption is random and each file corresponds to a different DES key, and the DES key is stored in the encrypted file by ECC public key. The blackmail encryption process is shown in the following figure.
File encryption is complete, the virus program will marker, the ECC encrypted DES private key information, and the encrypted file information stitched together to form an encrypted file, the relevant file content information as follows.
The MD5 used for mixing is generated from 8 bytes of random data to generate the MD5-related code used for mixing, as shown in the following figure.
Generation of MD5 for sequencing
After obtaining the required MD5 value, the virus will mix the previously obtained private key with the private key CRC32 value spliced behind the private key. The relevant codes are shown in the following figure.
Mixed-order private key related code
The private key data will be spliced with the 3 bytes of random data from the mixed MD5 data generated in the previous paper, and then one of the bytes will be used as a foreign or key to encrypt the private key data.
Finally, the hetero or key is spliced over the encrypted data and written to the ransom note file.
Once the ECC private key is encrypted, the virus begins to encrypt the file.
Virus program will first determine the file information, when the file suffix "exe", "dll", "sys", "_HD" format or file size greater than 0x2DC6C0 bytes, skip this file, not encrypted.
Otherwise, the content of the file is compressed by Zlib algorithm and then encrypted by DES.