Defusing Malwares

Caution/Warning: Hacking back malwares infrastructures (excluding ransomware decryption & recovery) may negatively impact it’s ongoing legal investigations & hence can be illegal.

Malware like ransomwares rely on several components together forming it’s infrastructure base. This includes key components like CnC servers, botnet proxies, domain generation algorithms, source codes, encryption algorithms, communication & payment channels.

Here we share several cases wherein the vulnerabilities of malware infrastructures itself were targetted as a response to the malware incidences.

1) Exploiting Cryptographic Failures:

i) Prometheus Ransomware:

The encryption algorithm utilized the number of milliseconds elapsed since a computer was last started with a vulnerable C#’s randomization class with hardcoded IV. While the first parameter gets updated around every 16 milliseconds making it possible for multiple files to have the same key; IV can easily be obtained and appears to be the same for every sample analyzed.

In this case, decryption of ransomware encrypted files would require hardcoded IV used in the sample observed to be an 8-byte array: 1, 2, 3, 4, 5, 6, 7, 8 & a text or bytes to search for from the decrypted file. For example, if the encrypted file’s original extension is .pdf, the text to search for in the file to determine success is “%PDF”.

ii) BlackBasta Ransomware:

For encrypting a file, it XORs the content using a 64-byte keystream created using the XChaCha20 algorithm. What allows retrieval of the encryption key is usage of a stream cipher to encrypt a file whose bytes contain only zeros, the XOR key itself is written to the file.

iii) Akira

As we see above, Akira on Windows encrypts files only partially for a speedier process, following a different encryption system depending on the file size. For files smaller than 2,000,000 bytes, Akira will only encrypt the first half of the file contents. For files larger than 2,000,000 bytes, the malware will encrypt four blocks based on a pre-calculated block size determined by the file’s total size. The Linux version of Akira gives operators an “-n” command line argument that allows them to determine precisely what percentage of the victim’s files should be encrypted.

iv) Rhysida Ransomware:

The random number generated by the PRNG is based on the execution time of the Rhysida ransomware. Further, the (randomized) order of files for encryption was found to be deterministic. Also the encryption thread generated 80 bytes of random numbers when encrypting a single file, the first 48 bytes of which are used as the encryption key and the IV

Using these observations, retrieval of initial seed and determination of file encryption order became possible eventually leading to data recovery without ransom payment.

2) Misconfigurations:

i) Muhstik Ransomware:

These servers used by the attackers contained web shells that allowed access to the PHP script, which would generate new passwords for new victims. The execution of this script created a new password & store it on a database to be accessed later once the victim had paid the ransom. This insight helped in creating a new script that allowed for the extraction of the decryption keys. After generating a list of 2,585 decryption keys that victims could use to decrypt encrypted files without having to pay a ransom; All the keys were published to a popular forum dealing solely with the Muhstik ransomware, as well as Pastebin. Finally, a decryptor was created along the same lines which was made publically available. Several victims later come forward to say that the decryption keys do indeed work.

ii) Conti Ransomware:

The chat logs of the threat actors operating the malware got leaked. Similarly, several misconfigurations have been exploited in the past to take control & neutralize the CnC servers.

3) Source Code Reuse/Leakage:

Babuk Ransomware:

Babuk ransomware is nefarious by its nature and while it encrypts the victim’s machine, it interrupts the system backup process and deletes the volume shadow copies. Babuk can be compiled for several hardware and software platforms. The compilation is configured through a ransomware builder. Windows and ARM for Linux are the most commonly used versions, but ESX and a 32-bit, older PE executable were also observed over time.

The source code of the Babuk ransomware got leaked in an underground forum by an insider. Although this opened the door for other cybercriminals to utilize and potentially enhance the ransomware making it a source code used as a basis of many ransomware variants; it also helped in creating babuk’s decrypter.

4) Bonet Communication & Payment Logic Flaws:

i) Wannacry:

The famous ransomware checked the connectivity to the below domain before execution. The registration of this domain acted as a kill switch of the ransomware propogation.

ii) Payment Wallets:

Ransomware payment tracking can be done in four phases:

1. Compiling ransomware samples: Construct an initial dataset by locating and categorizing ransomware samples for all targeted families.
2. Expanding coverage through clustering: Utilizing the binaries from the original dataset as starting points, employ clustering techniques to augment the number of ransomware binaries in the dataset.
3. Associating bitcoin wallets with each ransomware family: Employing dynamic execution and machine learning on the ransomware binaries, coupled with crawling payment platforms linked to ransomware in our dataset, establish connections between ransomware families and specific bitcoin wallets.
4. Uncovering ransomware cashout wallets: Tracing payments to the wallets identified in the previous phase facilitates understanding how ransom payments traverse the bitcoin chain, uncovering the wallets utilized by cybercriminals for cashing out.