Search This Blog

Showing posts with label Decryption Key. Show all posts

School Kid Uploads Ransomware Scripts to PyPI Repository as 'Fun' Project

 

An apparently school-age hacker from Verona, Italy, has become the latest to highlight why developers must be cautious about what they download from public code repositories these days. As an experiment, the teenage hacker recently posted many malicious Python packages containing ransomware programmes to the Python Package Index (PyPI). 

The packages' names were "requesys," "requesrs," and "requesr," which are all typical misspellings of "requests," a valid and extensively used HTTP library for Python. According to the Sonatype researchers who discovered the malicious code on PyPI, one of the packages (requesys) was downloaded around 258 times — probably by developers who made typographical errors when attempting to download the genuine "requests" package. 

The bundle included scripts for exploring directories such as Documents, Pictures, and Music. One version of the requesys package included plaintext Python encryption and decryption code. However, a later version included a Base64-obfuscated executable, making analysis more difficult, according to Sonatype. 

Developers whose systems were encrypted received a pop-up notice urging them to contact the package's author, "b8ff" (aka "OHR" or Only Hope Remains), on his Discord channel for the decryption key. According to Sonatype, victims were able to receive the decryption key without having to pay for it. 

"And that makes this case more of a gray area rather than outright malicious activity," Sonatype concludes. 

Information on the hacker's Discord channel shows that at least 15 victims had installed and run the package. According to the company, Sonatype identified the virus on July 28 and promptly reported it to PyPI's authorities. Two of the packages have subsequently been deleted, and the hacker has renamed the requesys package so that developers do not confuse it with a valid programme. 

"There are two takeaways here," says Sonatype's Ankita Lamba, senior security researcher. First and foremost, be cautious while spelling out the names of prominent libraries, as typosquatting is one of the most prevalent malware attack tactics, she advises. Second, and more broadly, developers should always use caution when obtaining and integrating packages into their software releases. Open source is both a necessary fuel for digital innovation and an attractive target for software supply chain threats, explains Lamba.

Following the newest finding, Sonatype researchers contacted the creator of the malicious code and discovered him to be a self-described school-going hacker who was evidently fascinated by exploits and the simplicity with which they might be developed.

According to Lamba, b8ff assured Sonatype that the ransomware software was totally open source and part of a hobby project.

"As they are a school-going 'learning developer,' this was meant to be a fun research project on ransomware exploits that could have easily gone much further astray," Lamba says. "The author went on to say that they were surprised to see how easy it was to create this exploit and how interesting it was."

RansomEXX Comes into Action Encrypting Files Using AES-CBC

 

In the latest Profero report - Senior Incident Responder Brenton Morris states that RansomeXX decryptors have failed to encrypt different files for the victims that have paid for the ransom demanded by the Linux Vmware ESXI malicious attacker. Profero has found that this RansomExx organization does not lock Linux files appropriately, which might contribute to damaged data during encryption. 

Following a reverse engineering process of the RansomExx Linux encrypter, Profero found that perhaps the problem was created by the inadequate encryption of Linux files. The encrypted file would have included encrypted data and unencrypted data afterward if the ransomware were to encrypt a Linux file simultaneously.’ 

RansomEXX encrypts the disc data and thereafter demands a ransom to acquire the key to decode. Encryption is arranged using the Open Source mbedtls package, so when the virus is activated, it produces a 256-bit key and encodes all the existing files in ECB mode using AES block encryption. Then after, each second, a new AES key will be produced, i.e. various files with different AES keys will be encrypted. 

Each AES key is encrypted and connected to every encrypted file via a public RSA-4096 key included in malware code; the ransomware might purchase a private key from the victim for decryption. 

"Some strains of Linux ransomware will attempt to acquire a file lock using fcntl while others will often not attempt to lock files for writing, and instead either knowingly choose to take the risk of corrupting the files or do so unknowingly due to lack of Linux programming experience," Morris told. "The Linux version of RansomEXX did not attempt to lock the file at all." 

If RansomExx encrypts a document, an RSA encrypted decryption key will be added to each file's end. The person who collects a ransom provides a decryptor that can decrypt the encoded decryption key of each file and then use that to decipher the contents of the file. 

However, since unencrypted material is annexed to the file end in these problematic encrypted files, the decrypter couldn't read the encrypted key correctly and the file will not be decrypted. 

"Because the attackers provide paying victims with a decryption tool they must run to decrypt their files there is a risk that the decryption tool may be malicious. This requires affected victims to reverse engineer the provided decryption tool to ensure there is no hidden payload or malicious features, a time investment that can be problematic for some organizations during a ransomware incident," explains Profero's blog post. 

Profero has published a RansomEXX open-source decryptor that can decrypt encrypted files with the file lock problem to assist its customers and the cyber security industry at large. 

Victims still have to have a decryption key from the malicious attacker, although now they can take time to evaluate one given by actors who are confronted with it instead.

Ragnarok Ransomware Gang Releases Free Master Decryptor After Shutdown

 

Ragnarok ransomware group has decided to abandon its operations and has reportedly published the master key that can decrypt files locked with their malware. The ransomware gang did not leave a note explaining their sudden exit and instead replaced all the victims on their leak site with a short instruction on how to decrypt files.

Sudden exit 

The Ragnarok gang, also known as Asnarok, used the leaked site to release data of the victims who refused to pay the ransom. The leak site has been stripped of all aesthetic factors and only contains a brief text linking to an archive consisting of the master key and the associated binaries that go with it in order to use it.

Looking at the leak site, it seems like the ransomware group did not consider shutting down and just wiped everything and shut down their operation. 

According to threat intelligence provider HackNotice, the leak site added 12 victims between July 07 and August 16. By listing victims on their website, Ragnarok tried to force them into paying the ransom, under the danger of leaking unencrypted data stolen during the breach. The organizations listed on this page are from various countries such as the U.S., Turkey, France, Spain, Estonia, and Italy operating in various sectors ranging from manufacturing to legal services. 

Multiple security experts have confirmed that the Ragnarok decryptor is currently working. It is currently being examined and researchers will eventually publish a clean version that is safe to use on Europol’s NoMoreRansom portal.

Prior to shutting down last week, the Ragnarok ransomware gang had been active since late 2019 and early 2020. The gang targeted dozens of victims by using exploits to breach a target company’s network and perimeter devices, from where it would pivot to internal networks and encrypt crucial servers and workstations. The gang made headlines after exploiting the Citrix ADC vulnerability last year.

Ragnarok is certainly not the first ransomware group to release a decryption key this year. Earlier in February, Ziggy ransomware abandoned its operations and in May, Conti ransomware provided a free-of-cost decryption key to HSE Ireland.

However, even as some ransomware gangs are shutting down their operations, new threat groups that may or may not have spawned from the previous ranks of these organizations are sliding in to fill in the gaps they left. Haron and BlackMatter are the latest inclusion in the ransomware family and are aiming to target large organizations that can pay million-dollar ransoms to fill their pockets.