Solved

decrypt protect Randsomeware - files renamed to .html and encrypted

Posted on 2013-05-15
13
1,847 Views
Last Modified: 2013-11-22
I am looking at this post mortem so I can't tell you what malware was removed.

What I can say is that it sounds similar to the ACCDFISA malware described here:
http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

Files (pdf, jpg, doc, rtf, etc) are appended with new extension .html, new headers are added into the code itself (see below), and the file data is encrypted and commented out in the "html file".  I'd imagine the encryption occurs prior to the headers getting added, but that's of minor concern.  I am pretty sure the files are encrypted because file sizes seem accurate and of different lengths, and an RTF file was not plain text.

I have two questions:

1. does anyone have any ideas how to fix this
2. if not, could you at least be able to tell how the file was encrypted if an example file was given and some thoughts on how best (if possible) to decrypt the file

<html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='refresh' content='0; url=http://mblblock.in/i.php?uid={576EA00E-B0D5-8825-1FED-C864CA4E561E}' /><title>Index</title></head><body></body><!--


and ends with


--></html>


Thanks for any help that can be provided.
0
Comment
Question by:ReppertFactor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 3

Expert Comment

by:dbaideme
ID: 39169433
Could alternate data streams could have been used? You can check using the program from Microsoft.

http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
0
 

Author Comment

by:ReppertFactor
ID: 39169541
here is an example file for review.
gettysburg-national-park-map.jpg.html
0
 

Expert Comment

by:CorruptCorey
ID: 39170301
I have the same issue here is an example "document"
Advent-Wreath-Blessing.doc.html
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 39171990
Well as per this article, if you have not removed the original infections then there are chances that you could get the password to decrypt the files from Dr. Web forum. Please read the whole article and page here:

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection-or-accdfisa/page-13#entry3001838

Sudeep
0
 

Author Comment

by:ReppertFactor
ID: 39172364
unfortunately per those instructions files names would have been appended with an email address, but that is not the case here.  They were renamed with a .html extension.  I think Dr. Webb uses that email address to parse the password.  If you feel I am misinterpreting that thread please let me know.
0
 

Author Comment

by:ReppertFactor
ID: 39172366
Unfortuantely from all of my testing, the files are not in password RAR format like the previous variations.  I've tried extracting the binary portion of the file and renaming it to .rar and it is unrecognized by WinRAR and 7-zip.  One of the previous variations made them self-extracting, so I took a risk and renamed it to .exe, with still no success.
0
 

Author Comment

by:ReppertFactor
ID: 39172369
Also the original infection was removed before it was realized the files were encrypted.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 39172390
>>>Also the original infection was removed before it was realized the files were encrypted.

It is very much necessary to get those original files as it would help the Virus researchers and analyst to know what is used to encrypt the files and if they have the password or some hash saved on your system to encrypt it.

Further did you tried the tool like Recuva to check if it can recover any of those file in its original state. Though the chances are less they these ransomware uses programs like sdelete to delete the files that could not be recovered.

Recuva Download:
http://www.piriform.com/recuva

Sudeep
0
 

Author Comment

by:ReppertFactor
ID: 39172439
Hi,

I have an original version of a file via redownloading it, so yes I have at least one instance where we have a directly comparable file,

attached
gettysburg-national-park-map.jpg
0
 

Author Comment

by:ReppertFactor
ID: 39172463
The lastest documented variation actually uses sdelete to delete it's own temporary files, namely the files it stores the encryption password in.  So hopefully that's not the case here.
0
 

Author Comment

by:ReppertFactor
ID: 39176297
I found some interesting files in \Users\%user%\AppData\Roaming\Microsoft\Installer\{6B6C4C46-1B7E-4A41-9E70-ACFBB22B1D81}

namely 3 copies of Icon<8hexchar>.exe with creation dates appropriate to the infection time.  The exe's don't appear to do anything if you run them (on a snapshot'd virtual) but I expect they may play a role in the ransomeware's function.

 

http://www.mediafire.com/?c11so3ero5o9h4p
0
 

Accepted Solution

by:
ReppertFactor earned 0 total points
ID: 39177926
thanks for all your help, Fabian Wosar on the bleepingcomputer thread has solved the issue.

http://www.bleepingcomputer.com/forums/t/494759/decrypt-protect-ransomware/page-3

He provides a decryption tool that scans for encrypted html files.

"The encryption used by the malware is actually RC6 with a simple XOR obfuscation. Since the encryption key is static, decryption of the encrypted file is possible (at least for the variants that I was able to get my hands on). I wrote a small decryption tool that will help you with the decryption of your files. You can download it here:

 

http://tmp.emsisoft.com/fw/decrypt_mblblock.exe"
0
 

Author Closing Comment

by:ReppertFactor
ID: 39190273
The tool provided by the 3rd party is able to decrypt all affected files.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question