Security Experts:

Radamant C&C Server Manipulated to Spew Decryption Keys

A flaw in the command and control (C&C) server used by Radamant ransomware has allowed researchers to trick the malware into decrypting victim’s machines for free, InfoArmor reports.

Radamant has been a popular ransomware kit on the black market, focused on infecting English-speaking users since December 2015. According to InfoArmor researchers, there are at least two known versions of this malware at the moment, namely RDM v.1and RKK v.2.

 The ransomware has been designed to encrypt all data repositories on the infected machines, including the HDD, USB-flash and the Shared folder, and to use a unique AES-256 key for each file. Furthermore, the AES-256 key is then encrypted with an RSA-2048 master key that is embedded into the target file.

 Related: How Mid-market Enterprises Can Protect Against Ransomware Attacks

Similar to other ransomware, Radamant asks victims to pay a ransom using crypto-currency to receive a special tool containing a decryption key that can be used to unlock and restore their files. However, researchers at InfoArmor have discovered a method of attacking the Radamant C&C server that could potentially allow them to decrypt victims’ files without requiring user interaction.

According to the cyber-threat intelligence provider, this method relies on the Radamant C&C server being used to control all of the infected machines with a targeted vulnerability exploit to initialize the decryption process. With the malware operator not being aware of this flaw, the attack has been highly effective in helping thousands of infected victims, the researchers note.

The method involves registering the infected machine within the malware control center via a HTTP POST request. However, this request needs to contain both public and private encryption keys, along with a unique identifier of the bot, which needs to be modified to bypass the filter and to avoid any additional vulnerability exploits.

A “ReplaceContent” function is used to validate and cleanse the external input, yet it was found ineffective due to not filtering backslashes that can be used for escaping special characters in the MySQL database, thus leaving the application vulnerable for SQL Injection attacks.

Should all the right circumstances be met, the entire database can be retrieved, while the ransomware can be manipulated to believe that the infected computers paid the ransom. Thus, the malicious application initializes the decryption procedure and restores files to their original state, researchers explain.

According to the security firm, once the new bot has been registered with the server, a specific HTTP request needs to be created and executed to change the status of all infected machines to paid and unlock their files. The script automatically searches for the specific bot ID in the database, while also updating the bots’ last visit time, and it is during the execution of this SQL query that the customized bot identifier can be set to execute unintended commands to change the status of all machines to paid.

As soon as this query has been executed, every infected computer connected to the Radamant C&C server will automatically receive a private key that can be used to decrypt files with specific extensions. The operation can be performed on a large number of bots to activate the process of data decryption without the malware’s operator being aware of it.

InfoArmor researchers also note that the author of Radamant is also working on other crime kits, and that a new product was identified in early February 2016 as “KimChenIn Coin Kit.” This is an advanced crypto-currency malware stealer designed to target popular wallets, including Bitcoin Core, LiteCoin Core, Dash Core, NameCoin Core and Electrum-BTC/LTC/Dash.

Researchers have been trying to help ransomware victims by creating free decryption tools, as was the case with TeslaCrypt, Cryptear.B, or Linux.Encoder. Most recently, a newly discovered EDA2-based ransomware was easily neutralized by the creator of Hidden Tear educational ransomware, and decryption keys were published online.

Related: Macro Malware Dridex, Locky Using Forms to Hide Code

view counter