⬆️ ⬇️

Ransomware Development Projections for 2017

Each of us remembers 2016 in our own way. Physicists - the discovery of gravitational waves predicted by Albert Einstein, politicians - conflicts in the Middle East, musicians - the Nobel Peace Prize to Bob Dylan. IT security experts 2016 remembered the incredible surge of extortionist programs that made not only specialists, but also ordinary citizens learn the answer to the question " What is ransomware? ".







Now it's 2017 in the yard, and there is no doubt that ransomware aka extortion programs will become even more dangerous and will continue their attack on user data. All users will be in danger, and either you or your friends may face this threat tomorrow.

')

“Warned, it means armed”, - we thought, conducted a detailed analysis of one of the latest programs of extortionists, and also prepared a small forecast for the coming year.



I want to start with the forecast, and the “sweet”, in the form of a detailed analysis of the ransomware program, we will leave for later:





2016 was a tough year, but at least extortionists didn’t become the terrible weapon they would become in 2017 and which would be successfully used to blackmail celebrities, government agencies and millions of consumers.



And now, as promised earlier, the dessert is “DeriaLock, seasoned with comments from Acronis”. This ransomware program has several versions. The Christmas version of DeriaLock was mentioned on the BleepingComputer website, and on December 26, 2016 Karsten Hahn from G-Data found another newer version. It is on the latest version of DeriaLock (MD5: 0a7b70efba0aa93d4bc0857b87ac2fcb ) that we decided to stop our attention. We found that it not only blocks the computer, but also encrypts files and, if the user tries to solve the problem by “classic” restarting the computer, deletes them.



The extortioner DeriaLock consists of three functional parts: a screen lock, which first appeared in the Christmas version, a block-encoder and a file deletion module. If you are interested in how the screen lock works, then the detailed information is on BleepingComputer, we will consider the last two parts of the program - the block-encoder and the module for deleting files.



DeriaLock is a .NET application written in Visual Basic and obfuscated. It should be noted that the number of VB.NET encoder blockers has increased significantly over the past few months, which may be due to the opening of access to the source code of the program for educational purposes.



First, note that DeriaLock requires administrator and .NET Framework 4.5 access rights. The user will be asked to confirm an increase in access level if user account control is enabled.



Encryption functionality



DeriaLock encrypts files using AES-256 symmetric encryption within the following folders:





The block encoder contains a complex password that is used to calculate the 256-bit AES encryption key and the 16-bit initialization vector, which allows you to decrypt files without paying the money to the extortionists.



To create an encryption for the day The first 32 bytes of the hash are the encryption key, the next 16 bytes are the initialization vector.



When the encryption process is completed, the user receives the following message:





Then DeriaLock shows a message about how to recover files and unlock the system. He also warns the user that trying to solve a problem by restarting the computer may result in the deletion of all files:







Payment



Unlike other types of ransomware programs, DeriaLock requires a ransom of $ 30 USD / EUR to Skype’s “ARIZONACODE” account, which may make it the first ransomware program using this payment method.



Communication with C & C



After making the payment, DeriaLock downloads the file removal module (MD5: 2a95426852af058414bbc9ca236208dd ) from an external server:







Every second the program checks the contents of the file at:

arizonacode.bplaced.net/HF/SystemLocker/unlock-everybody.txt


If the digit in the file is “1”, then DeriaLock unlocks the system: deletes the file “C: \ Users \% user% \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ LOGON.exe”, launches the file “Explorer. exe "and closes.



When a user enters a key to unlock in the proposed form, DeriaLock contacts the external server and checks whether the corresponding txt file with the user ID is on the server, for example:



http://arizonacode.bplaced.net/HF/SystemLocker/UNLOCKKEYS/f5515aff329218c79cac09122bd970f2.txt



If there is such a file, the program reads the key from the file and compares it with the key entered by the user in the form. If the two keys match, the computer is unlocked, and the files are decrypted.



File Removal Module



If the user decides to restart the system, the file deletion module is activated during system boot:



C: \ Users \% user% \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ LOGON.exe


It also requires admin rights to run.









Self defense



To protect itself, DeriaLock stops the following processes:





When the system reboots, the loaded file removal module also stops the following processes:





When a user tries to stop an ransomware program, for example, using the Alt-F4 key combination, DariaLock blocks such attempts and displays the following sarcastic message:





Authorship



Obviously, more than one developer participated in the creation of DeriaLock. The version we are reviewing has an additional machine on the white list, which is absent in previous versions:







How to unlock and decrypt



As we said above, this malware, even in its latest version, remains fairly simple and allows you to recover your files without paying the ransom. However, we want to emphasize that this still requires some knowledge and skills, so the actions described below will have to be done at your own peril and risk. We warn you that in case of an error you may lose all your data.



To unblock an infected system, proceed in accordance with one of the following scenarios:



If Windows is running in safe mode:



  1. Hard-reset the computer.
  2. Start Windows in safe mode.
  3. Delete the file:



    C: \ Users \% user% \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ LOGON.exe


If safe mode is not activated:



  1. Hard-reset the computer.
  2. Open the BIOS.
  3. Install a suitable device from which you can run a backup system disk.
  4. Start the computer from the system backup disk.
  5. Delete the file:



    C: \ Users \% user% \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ LOGON.exe


A safer way is to create a proxy server to intercept C & C requests from the infected computer.



  1. Set the DNS record on the local DNS server “arizonacode.bplaced.net”, which will allow you to redirect all traffic to a local proxy server.
  2. Create a file with the number “1” in the root directory of the server:

    /HF/SystemLocker/unlock-everybody.txt


To decrypt files, proceed in accordance with one of the following scenarios:



  1. Calculate the encryption key and initialization vector using the above password series and algorithm.
  2. Write a script that decrypts all files with the extension ".deria".


or



  1. Set the DNS record on the local DNS server “arizonacode.bplaced.net” that will redirect all traffic to the local proxy server.
  2. Create the following file with an arbitrary key in the root directory of the web server:



    /HF/SystemLocker/UNLOCKKEYS/<ID>.txt
  3. Enter the same key in the form and click on “Submit”.


With Acronis Active Protection, you'll be safe.



Acronis Active Protection is able to detect and protect your system from the extortion program DeriaLock. This innovative technology, first used in Acronis True Image 2017 New Generation, is based on behavioral heuristics and easily identifies and stops the malicious activity of DeriaLock. It also allows the user to automatically recover any affected files.



→ Learn More About Acronis Active Protection

Source: https://habr.com/ru/post/323288/



All Articles