Security Experts:

Researchers Use MiTM Attack Against Ransomware Operator

Researchers Help Alma Ransomware Victims Decrypt Files By Using MitM Attack Against Operators

Security researchers have successfully cracked the newly spotted Alma ransomware  to give victims the option to decrypt their files for free.

Distributed via the RIG exploit kit and using a Tor command and control (C&C) server, the malware employed a two-step attack method: after encrypting  files, it pointed the victim to a decrypter that was used to connect to the C&C server. Because of that, security researchers were able to create a man in the middle (MitM) attack to decrypt victim’s files for free.

Alma was observed generating a random 5-character extension immediately after infecting a computer, along with a unique 8-character victim ID that is derived from the serial number of the C:\ drive and the MAC address of the first network interface. The ransomware uses AES-128 encryption to lock user’s files, and appends the previously generated extension to them.

While targeting a broad range of file types, the ransomware skips those located in folders containing the following strings: $recycle.bin, system volume information, program files, programdata, program files (x86), windows, internet explorer, Microsoft, Mozilla, chrome, appdata, local settings, recycler, msocache, and Unlock_files_.

According to PhishLabs researchers, the malware’s authors are trying to trick users by claiming the malicious file belongs to Apple. Because of this, the user might believe that the alert on the file being malicious might be false. To hinder analysis, the malware uses Address Space Layout Randomization (ASLR) enabled per a flag found in the PE Header, meaning that the operating system randomizes the memory locations of the program to prevent buffer overflow attacks.

The ransomware attempts to resolve an .onion address to check-in and to send specific information on the machine. These details include: the AES-128 private decryption key, encrypted file extensions, user name, name of active network interface, the system Locale ID (LCID), operating system version, victim ID, installed security software, and the time stamp of when the program was started.

After completing the encryption process, the ransomware presents a notice to the user informing them that their files have been encrypted. The malware also generates a personal identifier that is used to identify the victim in the ransom payment. However, there is a second-stage of infection, where the user is presented with the option to download a decrypter that displays the decryption instructions.

PhishLabs researchers observed that the decrypter performs a check-in with the C&C when launched, and that this component would send the victim’s personal identifier to the server to inform that the decryption tool has been downloaded. The server will notify the decrypter of the Bitcoin address, multi-character file extension, hours left to pay the ransom, and the cost of the ransom. The victim is given 120 hours to pay the ransom, from the moment the dectrypter has been downloaded.

The ransomware uses un-obfuscated .NET code, which allowed researchers to view the decrypter’s source code and identify the decryption parameters. Next, researchers created their own decryption tool and also managed to hack the communication between the original decrypter and the server after discovering that the tool was vulnerable to a man-in-the-middle (MitM) attack.

Because the responses received from the server could be modified, PhishLabs researchers used the MitM technique to feed the decryption tool the information that allowed them to decrypt victim’s files for free. The researchers were successful because the author failed to implement protection / obfuscation into the payload and decrypter. Furthermore, researchers suggest that the malware author might be new to the threat scene.

“Shortly after the payload’s distribution into the wild, the command and control server began responding with a 500 internal server error, leaving victims unable to decrypt their files. The infrastructure surrounding this campaign was not very robust and ultimately resulted in the downfall of Alma Ransomware's first run. Despite the amateurish nature of Alma Ransomware, this author is not likely to cease production and we should expect to see more from them in the near future,” researchers say.

Related: Wildfire Ransomware Operators Made $80,000 in One Month


Related: DetoxCrypto Ransomware Sends Screenshots to Operators

view counter