Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Radamant C&C Server Manipulated to Spew Decryption Keys

A flaw in the command and control (C&C) server used by Radamant ransomware has allowed researchers to trick the malware into decrypting victim’s machines for free, InfoArmor reports.

A flaw in the command and control (C&C) server used by Radamant ransomware has allowed researchers to trick the malware into decrypting victim’s machines for free, InfoArmor reports.

Radamant has been a popular ransomware kit on the black market, focused on infecting English-speaking users since December 2015. According to InfoArmor researchers, there are at least two known versions of this malware at the moment, namely RDM v.1and RKK v.2.

 The ransomware has been designed to encrypt all data repositories on the infected machines, including the HDD, USB-flash and the Shared folder, and to use a unique AES-256 key for each file. Furthermore, the AES-256 key is then encrypted with an RSA-2048 master key that is embedded into the target file.

 Related: How Mid-market Enterprises Can Protect Against Ransomware Attacks

Similar to other ransomware, Radamant asks victims to pay a ransom using crypto-currency to receive a special tool containing a decryption key that can be used to unlock and restore their files. However, researchers at InfoArmor have discovered a method of attacking the Radamant C&C server that could potentially allow them to decrypt victims’ files without requiring user interaction.

According to the cyber-threat intelligence provider, this method relies on the Radamant C&C server being used to control all of the infected machines with a targeted vulnerability exploit to initialize the decryption process. With the malware operator not being aware of this flaw, the attack has been highly effective in helping thousands of infected victims, the researchers note.

The method involves registering the infected machine within the malware control center via a HTTP POST request. However, this request needs to contain both public and private encryption keys, along with a unique identifier of the bot, which needs to be modified to bypass the filter and to avoid any additional vulnerability exploits.

A “ReplaceContent” function is used to validate and cleanse the external input, yet it was found ineffective due to not filtering backslashes that can be used for escaping special characters in the MySQL database, thus leaving the application vulnerable for SQL Injection attacks.

Should all the right circumstances be met, the entire database can be retrieved, while the ransomware can be manipulated to believe that the infected computers paid the ransom. Thus, the malicious application initializes the decryption procedure and restores files to their original state, researchers explain.

According to the security firm, once the new bot has been registered with the server, a specific HTTP request needs to be created and executed to change the status of all infected machines to paid and unlock their files. The script automatically searches for the specific bot ID in the database, while also updating the bots’ last visit time, and it is during the execution of this SQL query that the customized bot identifier can be set to execute unintended commands to change the status of all machines to paid.

As soon as this query has been executed, every infected computer connected to the Radamant C&C server will automatically receive a private key that can be used to decrypt files with specific extensions. The operation can be performed on a large number of bots to activate the process of data decryption without the malware’s operator being aware of it.

InfoArmor researchers also note that the author of Radamant is also working on other crime kits, and that a new product was identified in early February 2016 as “KimChenIn Coin Kit.” This is an advanced crypto-currency malware stealer designed to target popular wallets, including Bitcoin Core, LiteCoin Core, Dash Core, NameCoin Core and Electrum-BTC/LTC/Dash.

Researchers have been trying to help ransomware victims by creating free decryption tools, as was the case with TeslaCrypt, Cryptear.B, or Linux.Encoder. Most recently, a newly discovered EDA2-based ransomware was easily neutralized by the creator of Hidden Tear educational ransomware, and decryption keys were published online.

Related: Macro Malware Dridex, Locky Using Forms to Hide Code

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.