Ransomware found being delivered as Windows critical update
Ransomware often tries to disguise its malicious behavior by various tricks.
The latest method observed is from a new variant called Fantom, which shows a fake Windows Update screen, while in reality, it’s encrypting the user’s files.
The ransomware, spotted for the first time only a few days ago by AVG security researcher Jakub Kroustek, is coded on top of EDA2, a ransomware building kit that was open-sourced last year, but eventually taken down.
EDA2 contained flaws that allowed researchers to obtain the decryption keys from the ransomware’s C&C server. According to analysis from Bleeping Computer, those flaws aren’t there anymore, meaning one of the Fantom coders must have found and fixed them.
Fantom distributed as a fake Windows critical update
There are no details on Fantom’s distribution.
The method employed by crooks to plant the malicious file on the user’s computer can be either via spam email or exploit kits.
Either way, the Fantom-infected file is named criticalupdate01.exe, and the crooks are using the “Windows Security Update” lure to fool users into running their malicious file.
When this happens, the ransomware springs into action by locking the user’s screen and showing fake Windows Update graphics, with a fully- functional percentage-based loading timer, just like on the original Windows Update screen.
Don’t be fooled by this screen, because it’s a trick, and under the hood, Fantom is encrypting your files.
This temporary lock screen can be removed before it reaches 100% by pressing CTRL+F4, but this won’t stop the encryption process.
According to MalwareHunterTeam, the ransomware uses classic ransomware encryption by locking files using an AES-128 key, and then encrypting this key with a dual RSA key, with the private key stored on the crook’s server, and a public key left on the user’s PC.
To get the private key and unlock their files, users have to contact the crook by email.
The crook’s email addresses are listed in the ransom note, displayed after the encryption process ends.
Fantom shows ransom notes in the form of HTML and TXT files, but also changes the user’s desktop with a custom screenshot containing the contact details.
At the end of all these operations, Fantom cleans after itself by running two batch scripts that delete its installation files.
Users who have Avast’s antimalware solution on a PC with Intel microprocessors are reporting Blue Screens of Death (BSODs) when installing the Windows 10 Anniversary Update.
Avast users report that when the AU process is kicked off, the PC will eventually crash with a “system thread exception not handled” error.
The system then reverts to the previous version of Windows, forcing the user to re-download the update (if they hadn’t previously downloaded it to a USB stick) and begin the update process anew.
I have a machine running Avast, and I had the same experience as others reported.
Why this matters: Every new piece of code has the potential to introduce bugs, and the AU is indeed a massive piece of code.
The purpose behind the Insider builds is to work out all these bugs before the general public encounters them, but it appears Avast’s engineers missed something.
Fortunately, Windows already provides anti-malware protection while Avast sorts things out.
What’s happening, and how to fix it
As the complaints piled up, Avast acknowledged the problem in its support forums.
Based on posts by users and Avast, it seems to be some sort of conflict between Avast, the AU, and Intel’s virtualization technology—even, perhaps, if virtualization is disabled.
Affected products include the Surface Book and Surface Pro 4 but also, apparently, any tablet or notebook running Avast on top of the affected Intel Core chips.
“The issue really seems to occur only on the last generation of Intel CPUs,” Petr Chytil, a quality assurance director for Avast, wrote on an Avast support forum. “Previous generations of Intel Core CPUs are fine. Moreover, it did not show up during the testing on the Win 10 preview builds.”
If you do have Avast installed and want to upgrade to the AU in the meantime, you’ll need to uninstall the Avast program.
If that fails (as it did for me) Avast has also published a dedicated ”avastclear” application to facilitate the uninstallation process.
(You may need to reboot into Safe Mode with Networking to get that to work.) After uninstalling Avast, launch the AU again; it should install normally.
Don’t re-install Avast after the update completes, however, as the “system thread exception” error reportedly reappears.
The Avast update should fix this, however.
Remember, Windows 10 ships with its own built-in antimalware solution, Windows Defender.
Until Avast patches its software, you should probably uninstall Avast, complete the update, then either rely on Windows Defender for a day or two or install another free antimalware program of your choice until Avast sorts out its issues.
Victims can now recover their files for free
Almost a month after security researchers first spotted the Bart ransomware, Jakub Kroustek, a security researcher for AVG, has created a free decrypter for recovering files locked by the Bart ransomware.
In the crowded space of today’s ransomware landscape, Bart stands apart from the competition for two reasons.
First, the ransomware is distributed via one of the largest malware-spreading botnets in the world, the same network that spreads the Dridex banking trojan and the Locky ransomware.
Secondly, Bart does not use encryption to lock your data, but merely takes all your files and places them inside a password-protected ZIP archive, deleting the originals.
Kroustek discovered that Bart does not use different passwords for all files, but one and the same.
The researcher was able to put together a free decrypter, which victims can use to recover their locked files.
How to decrypt files locked by the Bart ransomware
Step 1: To use the decrypter, you must first download it from AVG’s website.
Once you downloaded the decrypter, just double-click it and launch it into execution.
Step 2: Select the hard drive locations where Bart has locked your files in password-protected ZIP files.
Step 3: Identify two versions of the same file to compare.
One must be the one locked by Bart while the other must be the original of the same file.
This should be pretty easy since Bart does not rename files, but only appends the bart.zip file extension at the end.
To find an original file, either use one from your Dropbox account, a file you received via email, or you stored on another computer or portable flash drives.
Step 4: Give the decrypter time to compare the two files and identify the ZIP file’s password.
After this, the decryption process is a point-and-click experience. If you need more help, AVG also has a tutorial available.
Security researchers from Check Point announced over the weekend that they identified a way to decrypt files locked by the Jigsaw ransomware, both new and older versions.
Jigsaw appeared this past April, and the ransomware made a name for itself because it was deleting files from the user’s computer as time went by without receiving a ransom payment. Additional computer restarts would also delete 1,000 more files.
Security researcher Michael Gillespie created a free Jigsaw decrypter when the ransomware first came out and they had kept updating it ever since.
His decrypter attacked the ransomware’s encryption process.
Jigsaw uses a non-standard ransom payment system
The Check Point team claims to have identified a weakness not in the encryption routine, but in how Jigsaw handles the ransom payment.
While other ransomware families use a Tor-based website to handle payments, Jigsaw just prints a Bitcoin wallet address on the victim’s PC via a special ransom note and tells the users to press the “I made a payment, now give me back my files!” button after they made the payment.
Pressing this button starts a request from the user’s PC to an online API that checks if a payment was received to that specific Bitcoin wallet.
Researchers find a weakness in the payment process
There’s a reason most ransomware families handle payments on their own websites, and that’s because users can tamper with the responses that come back from the API.
Check Point created a tool that intercepts and mimics a positive API response.
The tool gives Jigsaw this fake API response, and the ransomware thinks the payment was made, starting the decryption process that ends with Jigsaw unlocking all encrypted files and deleting itself from the infected system.
The tool, which works with both newer and older Jigsaw versions, can be downloaded from here, and below are Check Point’s instructions for using it:
This decryption trick seems to have been known to most security experts, but nobody had ever created a tool that users could download and use.
Unpack the JPS.zip file In the Jigsaw Puzzle Solver folder, right click ‘JPS.exe’ and click ‘run as administrator’ Follow the instructions displayed on the screen
Ransomware shuts users out of their phones by changing the lock-screen password.
Android Nougat will come with a new security feature that prevents ransomware from locking users out of their own devices.
The new operating system, slated for public release later this year, will no longer allow users or software to invoke a command that clears already-set passwords.
Instead of encrypting files like traditional ransomware, Android ransomware typically resets a user’s lock-screen password, preventing the user from getting access to their own phone or tablet until they pay for the password’s release.
Symantec’s Dinesh Venkatesan, who published a write-up of the new security feature, said in a blog post that it “will not stop threats from setting the password on devices with no existing password“.
A developer page confirmed the “resetPassword” function can only be used to set a password if one doesn’t already exist.
In other words, now there’s one more reason to set a password.
The policy change comes amid a wave of ransomware that evolved on the platform in the past year.
A number of ransomware variants have hit the platform, tricking users into installing games or utilities, which later lock users out of their devices until they pay up.
Ransomware is said to be the “biggest” cybersecurity threat in recent times, after costing businesses and consumers millions of dollars worth of damage.
Nemucod ransomware makes a comeback after security researchers cracked one of its earlier iterations
Nemucod first appeared in March 2015, and at its base, the malware is a simple dropper.
Droppers, also called malware downloaders, infectors, or loaders, are simplistic malware families specialized in the “infection” process and nothing more.
After this occurs, they then download more potent malware.
For this article, when we say Nemucod, we are referring to a custom ransomware variant that researchers observed delivered via the Nemucod dropper alone.
First Nemucod ransomware variant was decryptable
The Nemucod ransomware was seen for the first time this past March, when Emsisoft researcher Fabian Wosar also cracked one of its earlier versions and offered a free decrypter.
Since then, the Nemucod ransomware has been evolving, with new versions appearing at regular intervals, but still using the .crypted extension to signal its presence on infected systems.
According to researchers from Intel Security, the latest version uses a combination of JS & PHP code to lock people’s files.
Nemucod comes with a built-in PHP interpreter
Executing this file starts the ransomware’s malicious process.
The JS file will download five files on the user’s PC: a.exe, a1.exe, a2.exe, a.php, and php4ts.dll.
As soon as the file downloads end, the JS file launches into execution a.exe, which is the PHP 22.214.171.124 interpreter, and php4ts.dll, which contains various dependencies.
Theoretically, this version of Nemucod should be easy to decrypt
The malicious JS code also feeds the a.php file to a.exe. The a.php file contains the ransomware’s malicious code, which will scan the user’s hard drive, set sensitive folders aside, and then start encrypting files that end with a specific extension.
According to Intel Security, the encryption process uses a single-byte XOR, which, in theory, should be easy to reverse-engineer and then unlock user files.
At the time of writing, there is no free decrypter available.
Once all operations end, the a.php file creates the a.txt file, which is the ransom note, and places it on the user’s desktop.
Crooks are asking victims to pay 0.3707 Bitcoin (~$245).
UPDATE: Leveraging on @MalwareHunterTeam’s extensive experience with malware reverse engineering, the researcher told us this might be the first desktop-targeting ransomware that uses PHP for the encryption operations.
Previously, PHP-based ransomware have targeted only Web servers.
Crypt38 ransomware had a short life, is already defeated
A new ransomware family called Crypt38 uses a simple encryption routine that allowed Fortinet researchers to reverse engineer the process and find a method of unlocking files.
Named Crypt38 because it appends the .crypt38 extension to all encrypted files, this ransomware’s infection method is currently unknown.
What we know is that the ransomware seems to be targeting only Russian users at the moment, and based on the simplistic encryption routine and low ransom demand, it may be in the testing phase, and users might get to see a much more powerful version in the upcoming future.
Crypt38 ransomware only asks for $15
Right now, the ransomware only asks for 1,000 Rubles (~$15) and doesn’t require users to access a decryption website.
To unlock files, infected users only have to send an email to the ransomware’s author, which will reply with payment details and decryption details.
Fortinet says that during the infection process, the ransomware generates a 12-digit random number to identify each user.
It then takes this ID, runs it through a mathematical operation, appends “6551” at the end of the result and uses the final number as the encryption key.
Simple symmetric encryption process doomed the ransomware’s chances of success
The problem is that the ransomware’s author didn’t use an asymmetric encryption, opting for a symmetric algorithm. This means the encryption key is also the decryption key.
Since Fortinet researchers managed to crack the encryption routine, they say that by taking a look at each victim’s ID number, they could compute the encryption/decryption key.
The good part is that for each user, the ransomware shows the victim ID on the screen, in the ransom note, which means all the details to decrypt user files are out in the open.
Since Fortinet hasn’t provided a publicly available decrypter, at this moment, infected users should try to get in contact with the company in order to recover their files.
UPDATE: In just a few minutes after publication, Michael Gillespie created a free decryption key generator for Crypt38, which is available for download via Bleeping Computer.
Users can enter their ID, and the keygen will spit out a decryption key.
Before using the decryption key, users should back-up their data first, in case the decryption process fails.