Tag: ransomware

We are joining the No More Ransom Project

Date of publication: 11/04/2017, piotrb

No More Ransom logo
From the beginning of April we are officially an Associate Partner of the No More Ransom Project. Its main goal is to fight ransomware by helping victims with free decryption of their files. It is coordinated, among others, by Europol, and it connects law enforcement agencies and private sector companies from around the world. Our main contribution is providing a decryption tool for Cryptomix, Cryptfile2 and Cryptoshield ransomware families, which we described some time ago.

The project already helped more than 10000 victims and now we can also contribute to this effort. We are proud to take part in this initiative.

Sage 2.0 analysis

Date of publication: 14/02/2017, Jarosław Jedynak



Sage is a new ransomware family, a variant of CryLocker. Currently it’s distributed by the same actors that are usually distributing Cerber, Locky and Spora.

In this case malspam is the infection vector. Emails from the campaign contain only malicious zip file without any text. Inside zip attachment there is malicious Word document with macro that downloads and installs ransomware.

After starting the ransomware, Windows UAC window is shown repeatedly until the user clicks yes.

At the end the encryption process is started and all files are encrypted:

Ransom message directs us to panel in the Tor network, but before we can log in we have to solve a captcha:

And finally we are greeted with “user-friendly” panel:

We can even chat with malware creators:

Interestingly, this ransomware doesn’t remove itself after encryption, but copies itself to %APPDATA%\Roaming directory and re-encrypts all files after every reboot (until the ransom is paid).

Technical analysis

After this short introduction, We’ll focus on the technical side (because Sage 2.0 is not completely a generic ransomware, few things are rather novel).

Main function of binary looks like this:

As we see, there is a lot of fingerprinting and checks, though most of them are quite standard. More interesting features include:

Debug switch

Probably something didn’t work on the first try, so there is a debug command line parameter to test that configuration data is set correctly:

And surely enough, this debug parameter does what it should:

Someone probably forgot to remove this from the final version, because this is clearly a debugging feature.

Locale Check

Sage 2.0 creators like some nations more than others:

This checks user keyboard layouts:

    • next == 0x23 -> Belarussian
    • next == 0x3F -> Kazakh
    • next == 0x19 -> Russian
    • next == 0x22 -> Ukrainian
    • next == 0x43 -> Uzbek
    • next == 0x85 -> Sakha

We’re a bit disappointed that Polish didn’t make it on the exception list (If Sage creators are reading this: our locale is 0x15).

Location fingerprinting

Sage is trying to get it’s host location by querying maps.googleapis.com with current SSID and MAC:

Canary file

Before encryption Sage checks for existence of a special debug file:

Thanks to this, malware creators don’t have to worry about accidentally running the executable and encrypting their own files.

Finally, if the file is not found, encryption is initiated.

Extension whitelist

Of course, not every file is encrypted – only files with whitelisted extension are touched:


As usual, this is the most interesting thing in ransomware code. Sage 2.0 is especially unusual because it encrypts files with elliptic curve cryptography.

The curve used for encryption is y^2 = x^3 + 486662x^x + x over the prime field defined by 2^255 – 19, with base point x=9. These values are not arbitrary – this curve is also called Curve25519 and is the state of the art in modern cryptography. Not only it’s one of the fastest ECC curves, it’s also less vulnerable to weak RNG, designed with side-channel attacks in mind, avoids many potential implementation pitfalls, and (probably) not backdoored by any three-letter agency.

Curve25519 is used with hardcoded public key for shared secret generation. The exact code looks like this (with structures and function names by us):

This looks like properly implemented Elliptic Curve Diffie-Hellman (ECDH) protocol, but without private keys saved anywhere (they are useful only for decryption and malicious actors can create them anyway using their private key).

This may look complicated, but almost all those functions are just wrappers for ECC primitive – named CurveEncrypt by us. For example, computing matching public key is curve25519(secretKey, basePoint) – where basePoint is equal to 9 (one 9 and 31 zeroes).

Shared key computation is very similar, but instead of using constant base point we use public key:

Due to the design of Curve25519, converting between any sequence of random bytes and a secret key is very easy – it’s enough to mask few bits:

And, also because of this, secret key generation is completely trivial (it’s enough to generate 32 random bytes and convert them to the secret key):

That’s all for the key generation. What about file encryption? Files are encrypted with ChaCha (unconventional algorithm, again) and key is appended to output file – but after being encrypted with Curve25519:

AppendFileKeyInfo fucntion appends sharedKey and pubKey to the file:

ChaCha is not very popular algorithm among ransomware creators. It’s very closely related to Salsa20 which was used in Petya ransomware. We don’t know why AES is not good enough for Sage – probably it’s only trying to be different.

In other words, there are two sets of keys + one key pair for every encrypted file:

After ransomware finishes we know only my_public, sh_public, fl_shared, but we need chachakey to actually decrypt the file.

This encryption scheme is quite solid because it makes offline encryption possible – there is no need to bother connecting with C&C and negotiating encryption keys – the public key is hardcoded in binary and because of asymmetric cryptography decryption is impossible. Assuming that malware creators didn’t make any drastic implementation mistakes (and we have no reason to suspect that they did), recovery of encrypted files is impossible. Of course, it’s always possible that master encryption key will eventually be leaked or released.

Additional information

Yara rules:

Hashes (sha256):

    • sample 1, 362baeb80b854c201c4e7a1cfd3332fd58201e845f6aebe7def05ff0e00bf339
    • sample 2, 3b4e0460d4a5d876e7e64bb706f7fdbbc6934e2dea7fa06e34ce01de8b78934c
    • sample 3, ccd6a495dfb2c5e26cd65e34c9569615428801e01fd89ead8d5ce1e70c680850
    • sample 4, 8a0a191d055b4b4dd15c66bfb9df223b384abb75d4bb438594231788fb556bc2
    • sample 5, 0ecf3617c1d3313fdb41729c95215c4d2575b4b11666c1e9341f149d02405c05

Additional information:

Evil: A poor man’s ransomware in JavaScript

Date of publication: 18/01/2017, Jarosław Jedynak



Initially Evil was brought to our attention by an incident reported on 2017-01-08. By that time the Internet was completely silent on that threat and we had nothing to analyze.

We found first working sample day later, on 2017-01-09. In this article we will shortly summarize our analysis and conclusions. Since then, we had relatively high number of infections reported, so we predict that this family of ransomware may become a bigger threat in near future.

This malware follows recent trend, and doesn’t have any decryption panel (like CryptoMix) – instead of this, an email address is provided. Sure, why complicate things if simple solutions work good enough.

Read more

Technical analysis of CryptoMix/CryptFile2 ransomware

Date of publication: 04/01/2017, Jarosław Jedynak

skull and crossbones malware


CryptoMix is another ransomware family that is trying to earn money by encrypting victims files and coercing them into paying the ransom.
Until recently it was more known as CryptFile2, but for reasons unknown to us it was rebranded and now it’s called CryptoMix.
It was observed in the wild being served by the Rig-V exploit kit.

This malware stands out from among others, but not necessarily in a good way.


First unusual thing about this family is very large amount of money requested – 5 bitcoins is an insane amount of money (especially considering that CryptoMix is really primitive under the hood, but we’ll get to it). We don’t know how many victims have paid, but probably few were desperate enough.

Additionally we have stumbled upon following comment discouraging anyone from paying the ransom:

we were infected and they asked for 10 bitcoins, after some negotiations the price was lowered to 6 bitcoins. they provided 1 decrypted file to prove concept. we paid 6 bitcoins and they asked for another .6 as the c&c server will not provide the key due to late payment. after promptly paying another .6 bitcoins (about $4800 in total) there has been no communication from them! its been 2 weeks and nothing.

We can’t verify if this is true, but it sounds plausible – if someone is desperate enough to pay 6 bitcoins for his files, he probably can be coerced into paying even more. As usual, we discourage anyone from supporting the criminals by paying the ransom.

Payment portal

Additionally CryptoMix doesn’t have any payment portal in the Tor network. Or any payment portal, for that matter – victim have to write an email and literally wait some time before malware operators kindly send the decryption keys
(assuming that they will do it, instead of bargaining for even more money).

For example, ransom message can look like this (most recent variant):

Or like this (older variant):

We don’t think that this strategy was well thought out. First of all, using emails for communication with victims is bothersome and need constant attention.
Automated portal would be much more reliable and secure for both sides. Additionally, emails are prone to being deleted/locked, effectively cutting malware authors from their “clients”.


Content of exchanged emails is very unusual too. Actors claim to be a charity organization (!) that is going to sponsor presents and medical help for children. For example:

That’s really original, but unfortunately also obviously false.

Technical analysis

Leaving aside strange quirks of ransomware “interface”, let’s get more technical. In its heart, CryptoMix is just a bare bones encryptor – it doesn’t have any fancy features, it doesn’t have a web portal, it doesn’t change user wallpaper, the only thing it does is encrypting every file on the victim’s disk and on the mounted network drives.

CryptoMix is protected by a very primitive packer – the real binary is stored in resources, and xored with a hardcoded key. For some reason, Cuckoo has problems with automatic unpacking of cryptomixer, so we had to write our own unpacker. Using pefile and Yara is very easy:

After decryption ransomware checks whether it’s being debugged – but no antiVM techniques are employed, so everything works as it should under VirtualBox.

Before file encryption starts, the ransomware checks internet connectivity (using InternetOpenUrl function). If everything is ok, an encryption key is generated on victim’s PC and sent to the C&C server.
Otherwise, depending on malware version, either a hardcoded encryption key is used or malware is spinning in an infinite loop until the internet connection is restored.

The main function can be expressed as follows:

After encryption key is generated/selected, it is stored in windows registry. Registry key used for malware specific data varies depending on version, but for example SoftWare\Microsoft\Windows\Shell\Nodes Slots, SoftWare\Microsoft\Windows\Shell\FlashPlayerPluginK or Software\Adobe Reader LicensionSoftWare\AdobeLicensionSoftWare can be used (malware probably tries to hide its presence by impersonating another software).

The list of supported extensions constains more than 1250 entries:

That’s quite a lot of extensions, but nothing special (for comparsion: CryptXXX supports 933 extensions, CrypMIC 901). Most unusual thing here is inclusion of another ransomware extensions (for example .zepto, .locky, .crypt, .locked, .cryptolocker, .cryptowall, etc).


Let’s get back to ransom message for a while:

Malware claims that our files are “encrypted with 2048bit RSA KEY”. Well, it’s not entirely true. Yes, 2048bit RSA key is generated with windows Crypto API – but after RSA key is selected, it is hashed with SHA256 to create a real encryption key and every file on disk is encrypted with that key. Encryption algorithm used is AES 256 in CBC mode without initialization vector.

Encryption routine can be summarized with this (simplified) code:

This function is called for every file, so hashing rsaKey and deriving AES key every time doesn’t make much sense. But there is bigger problem with it – there is no need for such things as “public” and “private” keys, because this encryption routine is entirely symmetric – RSA serves here just as (unnecesarily slow) random number generator.

So yes, in a way RSA is “used for encryption”, but files are not encrypted with RSA and encryption is entirely symmetric.

UserID given by CryptoMix is not random – it is generated from username and serial number for first disk.

This doesn’t seem like a good idea, because UserIDs absolutely have to be unique, and neither username nor volume serial number is designed to be unique – so userID collisions are possible and very plausible (after taking low entropy of userID and birthday paradox into account).
Why is this a problem? Because when UserID collision happens, malware creators have no way of distinguishing two users apart – so they don’t know which encryption key belongs to which user, and can’t send the right one. It’s also possible that in case of collision old key will be overwritten in database and lost.

Finally, CryptoMix achieves persistence by copying itself to user documents and writing to HKEY_CURRENT_USER\SoftWare\Microsoft\Windows\CurrentVersion\Run registry key.

As a final measure, all shadow copies are removed (if user doesn’t have admin account, UAC window is shown before):

Cryptomix Decryptor

Due to a cryptographic flaw in encryption, we are able to decrypt CryptoMix (and CryptFile2), but only sometimes and only if files were encrypted with a vulnerable version.
If your files were encrypted by CryptoMix and you don’t want to pay a ransom, you can contact us at [email protected] and we’ll see what we can do.
Please attach a single encrypted file without changing it’s filename after encryption (for example warnings.h.email[[email protected]]id[7e5973f5e0ce337d].lesli).


Cryptomix packer (old and new):

Cryptomix payload (after unpacking):


c2f30cd537c79b6bcd292e6824ea874e sample0

befc0e43b38fe467ddc3ddd73150a9fc sample0 decrypted

8c413e31f39a54abf78c3585444051f7 sample1

0d1206246bf15c521474cee42f13fc09 sample1 decrypted

b778bda5b97228c6e362c9c4ae004a19 sample2

042a38a32cd20e3e190bb15b085b430a sample2 decrypted

The Postal Group

Date of publication: 14/10/2015, Łukasz Siewierski

During SECURE conference we have presented our findings about criminal group, which we called “Postal Group” (“Grupa pocztowa”) based on theris modus operandi. Detailed research regarding the group have been gathered in the form of report available under the link below.Read more

Slave, Banatrix and ransomware

Date of publication: 03/07/2015, Łukasz Siewierski

loveletter1In March 2015, S21sec published their analysis of the new e-banking trojan horse targetting Polish users. They named it “Slave”, because such a string was part of a path to one of the shared libraries. We think (in part thanks to the kernelmode.info thread) that Slave was made by the same group of authors that are responsible for previously described Banatrix and a ransomware/Android malware campaign. This means that those authors are most certainly fluent in Polish.

Read more

Malware attack on both Windows and Android

Date of publication: 22/05/2015, CERT Polska


On the 7th of May, 2015 we observed a new malicious e-mail campaign, which used the logo and the name of Polish Post Office (”Poczta Polska”). The e-mail supposedly informed about an undelivered package – however, they also included a link which, after several redirects, lead to the download of a malicious file. This file was either a Windows executable or Android APK file (depending on the presented User Agent string).


Read more

Ransomware still a threat to Polish users

Date of publication: 19/09/2013, CERT Polska


During the summer holidays we observed an increased infection rate of ransomware. We mentioned this type of malware a few times already in the past (here is a description of similar malware and here is information detailing how to remove it from your computer). CERT Polska was able to acquire three samples of this malware from three different sources. In every case we were able to determine the infection vector. Most probably, all of the three samples were created by the same group of cybercriminals. One of the samples came from a hacked .gov.pl website in collaboration with CERT.GOV.PL, second sample was from a hacked website in .eu domain and the last sample was from a malicious advertisement from a .pl website. A case of malware on the governmental website was also a subject of our previous blog post.
Read more

Ransomware: how to remove it, even when the computer does not boot?

Date of publication: 03/08/2012, CERT Polska

ransomeware avatar

We have recently published an article (in Polish) about ransomware malware (mainly WeelsOf) spreading in Poland. This kind of ransomware was initally mentioned on the abuse.ch blog: https://www.abuse.ch/?p=3718. It demands 100 Euro or 500 PLN in order to unlock our computer. We also published a UKash code generator that was suppose to fool malware and unlock our computer. Since then, we have encountered versions of this ransomware that simply did not unlock the computer no matter what kind of code was submitted. Below, we have compiled a few tips, both for advanced users and beginners, on how to remove ransomware, or malware in general. They should work even in cases when the computer will not boot.

Read more

Ten komputer został zablokowany – ransomware żąda voucheru Ukash na 100 euro !

Date of publication: 08/06/2012, CERT Polska


W maju mieliśmy w Polsce do czynienia z infekcjami złośliwym oprogramowaniem, które blokowało dostęp do komputera, żądając wpłacenia okupu w zamian za usunięcie blokady. ‘Opłata karna’ wynosi 100 euro (można również dokonać dwóch płatności po 50 euro) i powinna zostać dokonana poprzez podanie numeru vouchera UKASH. Jak twierdzi wyświetlany na komputerze komunikat, kara ta wynika z tajemniczych przepisów o ‘kontroli informacyjnej oraz zabezpieczenia informacji’ z 2012 roku. Sam komunikat napisany jest poprawną polszczyzną i opatrzony logiem policji! (patrz zrzut ekranu poniżej). Programy antywirusowe oznaczają to zagrożenie jako ‘Trojan/Weelsof’.

Read more