Ransomware Decryptors for a (varying) fee

12/24/2020

Ransomware attacks wreak havoc on business operations. Destroying recovery options, instill­ing fear and panic, and most often creating high levels of stress for IT staff, owners, and operators. A simple, but often costly fix is to just pay the Threat Actor for the decryption utility. While making a payment to an anonymous entity is a highly debated topic, let us assume, for the pur­poses of this article, that the payment is the only option other than closing your business. Please note, Arete is not advocating to pay ransoms; the choice is entirely a business decision to pursue. This article is intended to provide insight into the various types of decryptors the threat groups provide to unlock your files. We will discuss specific decryptors for some of the more pop­ular variants as well as address subtle nuances between the decryptors.

Full Disk Encryption

Ransomware variants like THT, Mamba, or MCrypt use native or opensource encryption software to encrypt the entire hard drive of the system. Once the TA gains access to the system with administrator privileges, the TA will use a tool like Bestcrypt, DiskCryptor or even Win­dows Bitlocker to encrypt the full disk. Once encryption is complete, the system reboots and the victims are locked out.

Communication preference: Email usually pro­tonmail, firemail.cc, or cock.li domains

Average ransom payment: $36,000 – $55,000

Preferred currency: Bitcoin (BTC)

Decryptor received: 100% of the time. TA will provide passwords per system for access

Watch out: MCrypt will hold volumes hostage and “re-extort” victims into making multiple payments. During the initial negotiation, the TA will not indicate multiple drives are encrypted. Instead they will negotiate a single amount for initial access to the Operating System; essential­ly allowing access into Windows. Once access to Windows is regained, victims often surprised to find their “data” partitions are encrypted caus­ing the victim to return to the negotiation table to once again shell out more money to unlock their information.

Notes: After gaining access, the open source encryption tool still needs to be removed other­wise after reboot, the data storage will be locked again.

System Specific Encryption

Ransomware variants like Phobos, Dharma or CryLock are file level encryption. The TA gains access to the system, copies specific encryption executables onto the systems then runs the executables to encrypt the files. The results are files with a new extension appended to the old file name. Sometimes it’s a random sequence of numbers and letters (e.g. *.nocv) or a specific tag (e.g. *[CryLockDecrypt@****.com][1].[ID-*****- COM]). System specific encryption generates a unique key per encrypted system. The ransom note or the file extension may indicate an “ID” that would be different on each system.

Communication preference: Email usually aol.com, protonmail.com, or cock.li domains

Average ransom payment: $27,000 – $500,000

Preferred currency: Bitcoin (BTC)

Decryptor Received: 95% of the time. Certain variants of Phobos and Dharma will attempt to re-extort a second payment if a large discount is negotiated.

Watch out: Phobos, Dharma, and CryLock are a two-step process. The TA will first send a “scan­ner” tool that needs to be run on every infected system. The scanner will look for the public keys used to encrypt the files, then write that infor­mation to a corresponding .txt or .ini file. Those corresponding files need to be sent to the TA in order to generate a decryptor. The TA in return will send the decryptors. The two-step process adds significant overhead due to the running of multiple tools on the infected system as well as the delay with communicating via email. On av­erage after making a payment for the decryptor, clients are who are infected with Phobos are down for approximately 11 days whereas clients who are infected with Dharma experience down­time of about 7.75 days. The high number of days can be attributed to the two-step process and multiple email communications.

Notes: Negotiating with the Phobos and Dhar­ma group can be tricky. These variants are Ransom-as-a-Service (RaaS) model so you’re not dealing with the same core group of people as you would with variants like Ryuk (or now Conti). Negotiating with RaaS groups can also create confusion and complexities with a different operator responding to each email. The groups who deploy these variants also look for exploiting publicly accessible Remote Desktop Protocol (RDP). Disable external access to RDP to lessen the chance of being infected by this variant.

System Specific Encryption with a Uni­versal Option

Ransomware variants like Sodinokibi are file level encryption with a unique ID per system. Once the TA gains access to the network, they release their Sodinokibi ransomware throughout the environment. The systems are infected with a unique randomly generated file extension per system. Their ransom notes are usually within a text file and explain what happened, including if any data was exfiltrated. The group is very or­ganized and can often share information about their victim’s networks including domain infor­mation, infected systems, and any stolen data.

 

Communication preference: TOR Website via chat room. The ransom note contains a link to the TOR site as well as a unique key to gain access to a private chat room where the negotia­tions occur.

Average ransom payment: $170,000

Preferred currency: Monero (XMR)

Decryptor received: 100% of the time. Sodin offers a general decryptor which requires the victim to collect the file extensions from all of their infected systems. This can be very tedious once the payment is made, the victim can input any number of file extensions into the input box on the TOR site to generate a decryptor. Sodin will keep that private room open for 30 days after payment allowing victims to return if they find any extensions not previously found. A lesser known secret with Sodin, if you ask nicely for a universal decryptor, the operator may create the decryptor for you; providing a single decryptor that can be used across your network. The uni­versal decryptor certainly saves a lot of time with decrypting files and minimizing the number of times having to launch the TOR browser.

Watch out: Earlier this year, Sodin changed their code base for their encryption payloads causing instability on certain Windows Operating Sys­tems within the master boot files. Using certain security tools after a Sodin outbreak can cause systems to hang during reboot. Sodin encryption is one of the more aggressive encryptions.

Be sure to create a snapshot or backup the files prior to installing any new software or perform­ing live forensics on critical systems.

Notes: Sodin has made headlines throughout 2020 for following Maze with exfiltrating data as well as being the first ransomware group to only accept Monero for payments.

System Specific Encryption with a Uni­versal Option

 Ransomware variants like Sodinokibi are file level encryption with a unique ID per system. Once the TA gains access to the network, they release their Sodinokibi ransomware throughout the environment. The systems are infected with a unique randomly generated file extension per system. Their ransom notes are usually within a text file and explain what happened, including if any data was exfiltrated. The group is very or­ganized and can often share information about their victim’s networks including domain infor­mation, infected systems, and any stolen data.

Communication preference: TOR Website via chat room. The ransom note contains a link to the TOR site as well as a unique key to gain access to a private chat room where the negotia­tions occur.

Average ransom payment: $170,000

Preferred currency: Monero (XMR)

Decryptor received: 100% of the time. Sodin offers a general decryptor which requires the victim to collect the file extensions from all of their infected systems. This can be very tedious once the payment is made, the victim can input any number of file extensions into the input box on the TOR site to generate a decryptor. Sodin will keep that private room open for 30 days after payment allowing victims to return if they find any extensions not previously found. A lesser known secret with Sodin, if you ask nicely for a universal decryptor, the operator may create the decryptor for you; providing a single decryptor that can be used across your network. The uni­versal decryptor certainly saves a lot of time with decrypting files and minimizing the number of times having to launch the TOR browser.

Watch out: Earlier this year, Sodin changed their code base for their encryption payloads causing instability on certain Windows Operating Sys­tems within the master boot files. Using certain security tools after a Sodin outbreak can cause systems to hang during reboot. Sodin encryption is one of the more aggressive encryptions.

Be sure to create a snapshot or backup the files prior to installing any new software or perform­ing live forensics on critical systems.

Notes: Sodin has made headlines throughout 2020 for following Maze with exfiltrating data as well as being the first ransomware group to only accept Monero for payments. eir.co

Universal Encryption

Ransomware variants like Ryuk, WastedLocker, and Dopplepaymer are also file level encryption. These groups will gain access to the network and perform reconnaissance to identify the victim, understand their business, identify critical sys­tems, and delete backups to force their victims into making a payment. The groups can have access to the network for a few hours or upwards of over a month. Ryuk is commonly associated with precursor trojans such as Trickbot and Emo­tet. Arete has observed Ryuk deployed as quickly as 6 hours after a Trickbot infection. Ryuk infec­tions result with *.ryk appended to the file name. Comparatively, the deployment of WastedLocker is much more calculated with the TA staying on the network for an average of 2 weeks from ini­tial infection to ransomware deployment. Wast­ed infections result with *.abcwasted appended to the file name where “abc” is a 3 letter abbrevi­ation relating directly to the victims name.

 

Communication preference: Email usually pro­tonmail.com domains or TOR Website

Average ransom payment: Ryuk $598,000; WastedLocker $2,400,000; Dopplepaymer $304,000

Preferred currency: Bitcoin (BTC)

Decryptor received: 100% of the time. The de­cryptor received is universal. It is typically a 32-bit executable that will work on any windows OS version. While these groups are known for a high ransom price, their decryptor is probably the simplest to run.

Watch out: WastedLocker is extremely difficult to negotiate. In fact, if negotiation is attempted, they may threaten to increase the ransom by ap­proximately 5% of the ransom per day until it is paid. They are also very slow to respond to email and even post their business hours of UTC 5am- 8am and 5pm-8pm.

Notes: Dopplepaymer has been linked to gain­ing access to large environments and deploying cryptomining malware before launching their ransomware attack.

Pro Tips to Prevent Ransomware

Attacks

• Implement Endpoint, Detection, and Re­sponse software such as SentinelOne to monitor the computer systems in use by your organization. SentinelOne uses Artificial Intelligence technology to detect malicious actions and prevent them before they can severely affect the endpoint.
• Leverage a Security Operations Center (“SOC”) to monitor computer systems 24 hours a day by 7 days a week. The SOC can instantly respond to triage and mitigate any alerts while keeping your IT personnel fo­cused on maintain business productivity.
• Enable Multi-Factor Authentication (“MFA”) on remote access technologies such as VPN and Email.
• Use complex passwords with a minimum of 16 alphanumeric characters (non- dictionary words).
• Don’t reuse passwords.
• Encourage discussion about cybersecurity within the workplace including establishing end user awareness training.
• Ensure backups are current, air gapped from the production network, and viable.