New CryptoBit Ransomware Could Be Decryptable
Researchers are still reverse engineering the malware
PandaLabs, Panda
Security’s anti-malware lab, detected a new type of ransomware which
they think could be reverse engineered to allow users to recover their
files.
Named CryptoBit, this particular
ransomware variant infects users via exploits. First infections appeared
at the start of April, and security researchers claim the ransomware is
somewhat strange in its mode of operation.
After infection, CryptoBit will first and foremost
scan for files that have particular extensions. By default, it will look
for 96 different file types, looking for regular data storage files,
such as images, file archives, databases, and office documents.
CryptoBit uses AES+RSA encryption
Once CryptoBit identifies all valuable files, it
will proceed to encrypt them using the AES algorithm which uses one key
for encryption and decryption.
The AES encryption key is then encrypted itself with
an RSA algorithm, which is a dual-key encryption model that uses a
different key for encryption (public key) and decryption (private key).
Researchers say the private key is most likely sent to a server under
the ransomware author's control.
After the encryption process ends, CryptoBit will
display a ransom note as the one below, telling the user his files were
encrypted and that he must contact the ransomware's author via an email
address or the Bitmessage network, using a special ID.
Compared to other ransomware families, CryptoBit is
very greedy, asking for a whopping 2 Bitcoin (~$850). Most ransomware
families these days only ask for 0.5 (~$215), maximum 1 Bitcoin (~$425).
CryptoBit may have a flaw
According to PandaLabs researchers, there might be a flaw in CryptoBit's armor.
"We notice[d] a specific detail: the absence of
calls to the native libraries that encrypt files using the RSA
algorithm," PandaLabs researchers say.
"CryptoBit uses a series of statically compiled routines that allow you
to operate with large numbers (“big numbers”), making it possible to
reproduce the RSA encryption algorithm."
As it looks right now, it may be possible for
security researchers to reverse engineer the ransomware's custom RSA
encryption operations and recover the original AES encryption file.
Users should not confuse CryptoBit with another ransomware family called CryptorBit, which was very active during 2014.
CryptoBit ransom note
Post a Comment