Solved

decrypt protect Randsomeware - files renamed to .html and encrypted

Posted on 2013-05-15
13
1,795 Views
Last Modified: 2013-11-22
I am looking at this post mortem so I can't tell you what malware was removed.

What I can say is that it sounds similar to the ACCDFISA malware described here:
http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

Files (pdf, jpg, doc, rtf, etc) are appended with new extension .html, new headers are added into the code itself (see below), and the file data is encrypted and commented out in the "html file".  I'd imagine the encryption occurs prior to the headers getting added, but that's of minor concern.  I am pretty sure the files are encrypted because file sizes seem accurate and of different lengths, and an RTF file was not plain text.

I have two questions:

1. does anyone have any ideas how to fix this
2. if not, could you at least be able to tell how the file was encrypted if an example file was given and some thoughts on how best (if possible) to decrypt the file

<html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='refresh' content='0; url=http://mblblock.in/i.php?uid={576EA00E-B0D5-8825-1FED-C864CA4E561E}' /><title>Index</title></head><body></body><!--


and ends with


--></html>


Thanks for any help that can be provided.
0
Comment
Question by:ReppertFactor
13 Comments
 
LVL 3

Expert Comment

by:dbaideme
Comment Utility
Could alternate data streams could have been used? You can check using the program from Microsoft.

http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
0
 

Author Comment

by:ReppertFactor
Comment Utility
here is an example file for review.
gettysburg-national-park-map.jpg.html
0
 

Expert Comment

by:CorruptCorey
Comment Utility
I have the same issue here is an example "document"
Advent-Wreath-Blessing.doc.html
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
Comment Utility
Well as per this article, if you have not removed the original infections then there are chances that you could get the password to decrypt the files from Dr. Web forum. Please read the whole article and page here:

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection-or-accdfisa/page-13#entry3001838

Sudeep
0
 

Author Comment

by:ReppertFactor
Comment Utility
unfortunately per those instructions files names would have been appended with an email address, but that is not the case here.  They were renamed with a .html extension.  I think Dr. Webb uses that email address to parse the password.  If you feel I am misinterpreting that thread please let me know.
0
 

Author Comment

by:ReppertFactor
Comment Utility
Unfortuantely from all of my testing, the files are not in password RAR format like the previous variations.  I've tried extracting the binary portion of the file and renaming it to .rar and it is unrecognized by WinRAR and 7-zip.  One of the previous variations made them self-extracting, so I took a risk and renamed it to .exe, with still no success.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:ReppertFactor
Comment Utility
Also the original infection was removed before it was realized the files were encrypted.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
Comment Utility
>>>Also the original infection was removed before it was realized the files were encrypted.

It is very much necessary to get those original files as it would help the Virus researchers and analyst to know what is used to encrypt the files and if they have the password or some hash saved on your system to encrypt it.

Further did you tried the tool like Recuva to check if it can recover any of those file in its original state. Though the chances are less they these ransomware uses programs like sdelete to delete the files that could not be recovered.

Recuva Download:
http://www.piriform.com/recuva

Sudeep
0
 

Author Comment

by:ReppertFactor
Comment Utility
Hi,

I have an original version of a file via redownloading it, so yes I have at least one instance where we have a directly comparable file,

attached
gettysburg-national-park-map.jpg
0
 

Author Comment

by:ReppertFactor
Comment Utility
The lastest documented variation actually uses sdelete to delete it's own temporary files, namely the files it stores the encryption password in.  So hopefully that's not the case here.
0
 

Author Comment

by:ReppertFactor
Comment Utility
I found some interesting files in \Users\%user%\AppData\Roaming\Microsoft\Installer\{6B6C4C46-1B7E-4A41-9E70-ACFBB22B1D81}

namely 3 copies of Icon<8hexchar>.exe with creation dates appropriate to the infection time.  The exe's don't appear to do anything if you run them (on a snapshot'd virtual) but I expect they may play a role in the ransomeware's function.

 

http://www.mediafire.com/?c11so3ero5o9h4p
0
 

Accepted Solution

by:
ReppertFactor earned 0 total points
Comment Utility
thanks for all your help, Fabian Wosar on the bleepingcomputer thread has solved the issue.

http://www.bleepingcomputer.com/forums/t/494759/decrypt-protect-ransomware/page-3

He provides a decryption tool that scans for encrypted html files.

"The encryption used by the malware is actually RC6 with a simple XOR obfuscation. Since the encryption key is static, decryption of the encrypted file is possible (at least for the variants that I was able to get my hands on). I wrote a small decryption tool that will help you with the decryption of your files. You can download it here:

 

http://tmp.emsisoft.com/fw/decrypt_mblblock.exe"
0
 

Author Closing Comment

by:ReppertFactor
Comment Utility
The tool provided by the 3rd party is able to decrypt all affected files.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now