No C&C server needed: Russia menaced by offline ransomware

Harder to take down, nyet?

Miscreants have cooked up a new strain of ransomware that works offline and so might be more resistant to law enforcement takedown efforts as a result.

The ransomware family (identified by various names by antivirus firms) manages to encrypt files on infected Windows PCs without storing the entire decryption key locally – and without needing an internet connection – security firm Check Point reports.

The malware pulls this off by generating a local RSA public key that it uses to encrypt files, which it then stores in the metadata of each file. When a victim wants their data decrypted, they can contact cybercriminals via an email address (added to the name of each file), and send one of the encrypted files as an attachment.

Many email addresses, mainly AOL and Gmail accounts (but also others) have been associated with this ransomware.

The ransomware operator then looks at the file's metadata, extracts the user-side-generated RSA public key, and matches it to their own RSA private key database.

The approach may seem inelegant at first, but it does without the need to run command and control servers to host encryption keys. Such command hubs can become the target of law enforcement takedown operations, as happened in the high profile CryptoLocker case.

Check Point’s researchers believe that it is not feasible to brute-force the ransomware encryption.

Researchers at the security firm got hold of a sample of the malware in September. When the sample was run, a extortionate demand in Russian was displayed which gave payment instructions. When running, the ransomware does not interact with the user, other than changing the wallpaper.

Check Point reached out anonymously to the attacker’s email, and received a reply requesting a payment of 20,000 Russian rubles (about $300) on the same day or 25,000 ($380) on the following day, to receive a decryption program and key.

Russian language forums first referenced the malware in June 2014, the security researchers discovered. Since then, 11 new versions have been reported. The ransomware sample investigated by Check Point, which explained the technical details of how it was put together (blog post extract below), was from version CL

It uses a protector that was written in Visual Basic compiled language. To unpack the payload, the ransomware restarts its own process using section mapping and overwrites four times.

The payload that is responsible for file encryption is most likely written in Delphi language using some additional Pascal modules (for example, FGInt that is used to represent large numbers) ...

The ransomware does not contain much functionality except for the file encryption capability.

Various versions of the ransomware have been given unique names by different vendors including Ransomcrypt.U (Symantec) and VBKryjetor-WFA (Kaspersky Lab).

Although its been around for a year, Check Point’s write-up offers the most detailed examination of the malware to date, at least in the English language. ®


Security experts are sniffy about the approach to crypto taken by the malware authors. That's as maybe, but it's of little relevance to victims, who are nonetheless unable to easily get back their files without paying up.

Biting the hand that feeds IT © 1998–2021