Solved

decrypt protect Randsomeware - files renamed to .html and encrypted

Posted on 2013-05-15
13
1,820 Views
Last Modified: 2013-11-22
I am looking at this post mortem so I can't tell you what malware was removed.

What I can say is that it sounds similar to the ACCDFISA malware described here:
http://www.bleepingcomputer.com/virus-removal/remove-decrypt-accdfisa-protection-program

Files (pdf, jpg, doc, rtf, etc) are appended with new extension .html, new headers are added into the code itself (see below), and the file data is encrypted and commented out in the "html file".  I'd imagine the encryption occurs prior to the headers getting added, but that's of minor concern.  I am pretty sure the files are encrypted because file sizes seem accurate and of different lengths, and an RTF file was not plain text.

I have two questions:

1. does anyone have any ideas how to fix this
2. if not, could you at least be able to tell how the file was encrypted if an example file was given and some thoughts on how best (if possible) to decrypt the file

<html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='refresh' content='0; url=http://mblblock.in/i.php?uid={576EA00E-B0D5-8825-1FED-C864CA4E561E}' /><title>Index</title></head><body></body><!--


and ends with


--></html>


Thanks for any help that can be provided.
0
Comment
Question by:ReppertFactor
13 Comments
 
LVL 3

Expert Comment

by:dbaideme
ID: 39169433
Could alternate data streams could have been used? You can check using the program from Microsoft.

http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
0
 

Author Comment

by:ReppertFactor
ID: 39169541
here is an example file for review.
gettysburg-national-park-map.jpg.html
0
 

Expert Comment

by:CorruptCorey
ID: 39170301
I have the same issue here is an example "document"
Advent-Wreath-Blessing.doc.html
0
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39171990
Well as per this article, if you have not removed the original infections then there are chances that you could get the password to decrypt the files from Dr. Web forum. Please read the whole article and page here:

http://www.bleepingcomputer.com/forums/t/449398/new-ransomware-called-anti-child-porn-spam-protection-or-accdfisa/page-13#entry3001838

Sudeep
0
 

Author Comment

by:ReppertFactor
ID: 39172364
unfortunately per those instructions files names would have been appended with an email address, but that is not the case here.  They were renamed with a .html extension.  I think Dr. Webb uses that email address to parse the password.  If you feel I am misinterpreting that thread please let me know.
0
 

Author Comment

by:ReppertFactor
ID: 39172366
Unfortuantely from all of my testing, the files are not in password RAR format like the previous variations.  I've tried extracting the binary portion of the file and renaming it to .rar and it is unrecognized by WinRAR and 7-zip.  One of the previous variations made them self-extracting, so I took a risk and renamed it to .exe, with still no success.
0
 

Author Comment

by:ReppertFactor
ID: 39172369
Also the original infection was removed before it was realized the files were encrypted.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
ID: 39172390
>>>Also the original infection was removed before it was realized the files were encrypted.

It is very much necessary to get those original files as it would help the Virus researchers and analyst to know what is used to encrypt the files and if they have the password or some hash saved on your system to encrypt it.

Further did you tried the tool like Recuva to check if it can recover any of those file in its original state. Though the chances are less they these ransomware uses programs like sdelete to delete the files that could not be recovered.

Recuva Download:
http://www.piriform.com/recuva

Sudeep
0
 

Author Comment

by:ReppertFactor
ID: 39172439
Hi,

I have an original version of a file via redownloading it, so yes I have at least one instance where we have a directly comparable file,

attached
gettysburg-national-park-map.jpg
0
 

Author Comment

by:ReppertFactor
ID: 39172463
The lastest documented variation actually uses sdelete to delete it's own temporary files, namely the files it stores the encryption password in.  So hopefully that's not the case here.
0
 

Author Comment

by:ReppertFactor
ID: 39176297
I found some interesting files in \Users\%user%\AppData\Roaming\Microsoft\Installer\{6B6C4C46-1B7E-4A41-9E70-ACFBB22B1D81}

namely 3 copies of Icon<8hexchar>.exe with creation dates appropriate to the infection time.  The exe's don't appear to do anything if you run them (on a snapshot'd virtual) but I expect they may play a role in the ransomeware's function.

 

http://www.mediafire.com/?c11so3ero5o9h4p
0
 

Accepted Solution

by:
ReppertFactor earned 0 total points
ID: 39177926
thanks for all your help, Fabian Wosar on the bleepingcomputer thread has solved the issue.

http://www.bleepingcomputer.com/forums/t/494759/decrypt-protect-ransomware/page-3

He provides a decryption tool that scans for encrypted html files.

"The encryption used by the malware is actually RC6 with a simple XOR obfuscation. Since the encryption key is static, decryption of the encrypted file is possible (at least for the variants that I was able to get my hands on). I wrote a small decryption tool that will help you with the decryption of your files. You can download it here:

 

http://tmp.emsisoft.com/fw/decrypt_mblblock.exe"
0
 

Author Closing Comment

by:ReppertFactor
ID: 39190273
The tool provided by the 3rd party is able to decrypt all affected files.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now