Solved

decrypt protect Randsomeware - files renamed to .html and encrypted

Posted on 2013-05-15
13
1,806 Views
Last Modified: 2013-11-22
I am looking at this post mortem so I can't tell you what malware was removed.

What I can say is that it sounds similar to the ACCDFISA malware described here:
http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

Files (pdf, jpg, doc, rtf, etc) are appended with new extension .html, new headers are added into the code itself (see below), and the file data is encrypted and commented out in the "html file".  I'd imagine the encryption occurs prior to the headers getting added, but that's of minor concern.  I am pretty sure the files are encrypted because file sizes seem accurate and of different lengths, and an RTF file was not plain text.

I have two questions:

1. does anyone have any ideas how to fix this
2. if not, could you at least be able to tell how the file was encrypted if an example file was given and some thoughts on how best (if possible) to decrypt the file

<html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='refresh' content='0; url=http://mblblock.in/i.php?uid={576EA00E-B0D5-8825-1FED-C864CA4E561E}' /><title>Index</title></head><body></body><!--


and ends with


--></html>


Thanks for any help that can be provided.
0
Comment
Question by:ReppertFactor
13 Comments
 
LVL 3

Expert Comment

by:dbaideme
ID: 39169433
Could alternate data streams could have been used? You can check using the program from Microsoft.

http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
0
 

Author Comment

by:ReppertFactor
ID: 39169541
here is an example file for review.
gettysburg-national-park-map.jpg.html
0
 

Expert Comment

by:CorruptCorey
ID: 39170301
I have the same issue here is an example "document"
Advent-Wreath-Blessing.doc.html
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39171990
Well as per this article, if you have not removed the original infections then there are chances that you could get the password to decrypt the files from Dr. Web forum. Please read the whole article and page here:

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection-or-accdfisa/page-13#entry3001838

Sudeep
0
 

Author Comment

by:ReppertFactor
ID: 39172364
unfortunately per those instructions files names would have been appended with an email address, but that is not the case here.  They were renamed with a .html extension.  I think Dr. Webb uses that email address to parse the password.  If you feel I am misinterpreting that thread please let me know.
0
 

Author Comment

by:ReppertFactor
ID: 39172366
Unfortuantely from all of my testing, the files are not in password RAR format like the previous variations.  I've tried extracting the binary portion of the file and renaming it to .rar and it is unrecognized by WinRAR and 7-zip.  One of the previous variations made them self-extracting, so I took a risk and renamed it to .exe, with still no success.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:ReppertFactor
ID: 39172369
Also the original infection was removed before it was realized the files were encrypted.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39172390
>>>Also the original infection was removed before it was realized the files were encrypted.

It is very much necessary to get those original files as it would help the Virus researchers and analyst to know what is used to encrypt the files and if they have the password or some hash saved on your system to encrypt it.

Further did you tried the tool like Recuva to check if it can recover any of those file in its original state. Though the chances are less they these ransomware uses programs like sdelete to delete the files that could not be recovered.

Recuva Download:
http://www.piriform.com/recuva

Sudeep
0
 

Author Comment

by:ReppertFactor
ID: 39172439
Hi,

I have an original version of a file via redownloading it, so yes I have at least one instance where we have a directly comparable file,

attached
gettysburg-national-park-map.jpg
0
 

Author Comment

by:ReppertFactor
ID: 39172463
The lastest documented variation actually uses sdelete to delete it's own temporary files, namely the files it stores the encryption password in.  So hopefully that's not the case here.
0
 

Author Comment

by:ReppertFactor
ID: 39176297
I found some interesting files in \Users\%user%\AppData\Roaming\Microsoft\Installer\{6B6C4C46-1B7E-4A41-9E70-ACFBB22B1D81}

namely 3 copies of Icon<8hexchar>.exe with creation dates appropriate to the infection time.  The exe's don't appear to do anything if you run them (on a snapshot'd virtual) but I expect they may play a role in the ransomeware's function.

 

http://www.mediafire.com/?c11so3ero5o9h4p
0
 

Accepted Solution

by:
ReppertFactor earned 0 total points
ID: 39177926
thanks for all your help, Fabian Wosar on the bleepingcomputer thread has solved the issue.

http://www.bleepingcomputer.com/forums/t/494759/decrypt-protect-ransomware/page-3

He provides a decryption tool that scans for encrypted html files.

"The encryption used by the malware is actually RC6 with a simple XOR obfuscation. Since the encryption key is static, decryption of the encrypted file is possible (at least for the variants that I was able to get my hands on). I wrote a small decryption tool that will help you with the decryption of your files. You can download it here:

 

http://tmp.emsisoft.com/fw/decrypt_mblblock.exe"
0
 

Author Closing Comment

by:ReppertFactor
ID: 39190273
The tool provided by the 3rd party is able to decrypt all affected files.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now