Ransomware is one of the most common and effective attack methods today, and it seems this trend isn’t going to change anytime soon. This last November, we found that ransomware attacks are surging, with our Global Threat Index showing that the number of ransomware attacks using Locky and Cryptowall increased by 10%.
Today, Check Point’s Threat Intelligence Team reveals two new ransomware samples that were found in the wild, but also the decryption solutions which can help victims retrieve their lost data free of charge.
Check Point is an Associate Partner of the No More Ransom (NMR) project, which aims to fight back against the ransomware epidemic. As such, our new decryption tools will be available for public use as part of the project.
1 – DeriaLock: Ransomware Evolving Within Hours
DeriaLock is an interesting case of ransomware evolving right in front of our eyes. When it first appeared on December 24, 2016, it was nothing more than a screen-locker, designed to take control of your screen and prevent you from accessing to your computer. It was a nuisance but didn’t cause any real damage to your files. Two days later, another variant was discovered. This time, it added a file encryption mechanism, threatening that if you restart your computer in an attempt to regain control, DeriaLock would delete all your files.
As Karsten Hahn, the malware analyst who first discovered DeriaLock, pointed out on Twitter, this was an empty threat. That is, until a few hours later, when the latest variation of DeriaLock appeared and delivered on it. The current version of the ransomware includes all of these capabilities: screen lock, file encryption and deletion of files following a reboot.
Right now, the ransom demand is only $30, not very high compared to other ransomware out there in the wild. Check Point researchers have found a way to exploit several flaws in its implementation and created a decryption tools that helps you recover your files and avoid payment altogether.
How to retrieve your files?
Please use the below decryption tool with caution.
- The decryptor is effective for the current version of the ransomware. As security companies and hackers are in an eternal cat and mouse chase, there is a chance that the attackers will remediate their vulnerabilities which allowed us to decrypt the files. Therefore, Check Point does not take responsibility for unsuccessful attempts to decrypt files using this tool.
- Before initiating the decryption process we recommend backing up your hard-disk.
- Make sure you are familiar with the specific procedure for how to reach to your safe mode during rebooting.
- If you fail to get into safe mode ALL YOUR FILES WILL BE DELETED.
After reading and familiarizing yourself with the cautions –
- Restart the computer into safe-mode
- Go to C:\users\%user name%\appdata\roaming\microsoft\windows\start menu\programs\startup\
- Look for either LOGON.exe or SystemLock.exe and delete them.
(the ‘Date Modified’ of them would be the infection date)
- Restart the computer again
- Download and execute the decryptor *
- Click the “I PAY GET MY FILES BACK NOW!” button.
2 – PHP Ransomware
We have also discovered in the wild a new ransomware in the form of a PHP script. We first encountered it when accessing the domain hxxp://med-lex[.]com. Although the PHP ransomware encrypts the victim’s files, it’s tricky to call it a “ransomware” per-se.
Unlike the majority of the widely-spread ransomware samples, the script does not show any ransom note nor does it attempt to receive a payment in order to grant a decryptor. Rather, it only encrypts the files without offering any option to retrieve them. There is also no attempt made to communicate with a command and control server, which usually enables tracking the number of infected machines, downloading executables, or other malignant activities.
The new sample starts by scanning the system recursively. When it encounters a directory, it checks its subfolders for relevant files, to find out if any of their extensions are of the following:
zip, rar, r00 ,r01 ,r02 ,r03, 7z, tar, gz, gzip, arc, arj, bz, bz2, bza, bzip ,bzip2, ice, xls, xlsx, doc, docx, pdf ,djvu ,fb2,rtf, ppt, pptx, pps, sxi, odm, odt, mpp, ssh, pub, gpg, pgp, kdb, kdbx, als, aup, cpr, npr, cpp, bas, asm, cs, php, pas, class, py, pl, h, vb ,vcproj, vbproj, java, bak, backup, mdb, accdb, mdf, odb, wdb, csv, tsv, sql, psd, eps, cdr, cpt, indd, dwg, ai, svg, max, skp, scad, cad, 3ds, blend, lwo, lws, mb, slddrw, sldasm, sldprt, u3d, jpg, jpeg, tiff, tif, raw, avi, mpg, mp4, m4v, mpeg, mpe, wmf, wmv, veg, mov, 3gp, flv, mkv, vob, rm, mp3, wav, asf, wma, m3u, midi, ogg, mid, vdi, vmdk, vhd, dsk, img, iso
If one of the files matches the above extensions, the script changes the access permissions and enables the owner along with other users to read, write and execute the file. The script proceeds to read the first 2048 bytes of the matched file, and while the rest of it remains intact, the initial excerpt is encrypted. If the file’s size is smaller than 2048 bytes, it will be encrypted entirely. Additionally, a “.crypted” extension is added to the file’s name without omitting the original one.
How to decrypt your files?
Even though the encryption seems irreparable at first, we were able to develop a decryptor which allows victims of the PHP ransomware to restore their original files without difficulty.
- Download the decryptor to the infected device*
- Execute the decryptor – once it starts running it will look for affected files and revert them to their original form
To read more about Check Point’s role in the No More Ransom Project, click here.
*NOTE: The decryptors are effective for versions of the current of the ransomware. As security companies and hackers are in an eternal cat and mouse chase, there is a chance the attackers will remediate their vulnerabilities which allowed us to decrypt the files. Therefore, Check Point does not take responsibility for unsuccessful attempts to decrypt files using these tools.*