Connect with us

Hi, what are you looking for?



Researchers Use MiTM Attack Against Ransomware Operator

Researchers Help Alma Ransomware Victims Decrypt Files By Using MitM Attack Against Operators

Researchers Help Alma Ransomware Victims Decrypt Files By Using MitM Attack Against Operators

Security researchers have successfully cracked the newly spotted Alma ransomware  to give victims the option to decrypt their files for free.

Distributed via the RIG exploit kit and using a Tor command and control (C&C) server, the malware employed a two-step attack method: after encrypting  files, it pointed the victim to a decrypter that was used to connect to the C&C server. Because of that, security researchers were able to create a man in the middle (MitM) attack to decrypt victim’s files for free.

Alma was observed generating a random 5-character extension immediately after infecting a computer, along with a unique 8-character victim ID that is derived from the serial number of the C: drive and the MAC address of the first network interface. The ransomware uses AES-128 encryption to lock user’s files, and appends the previously generated extension to them.

While targeting a broad range of file types, the ransomware skips those located in folders containing the following strings: $recycle.bin, system volume information, program files, programdata, program files (x86), windows, internet explorer, Microsoft, Mozilla, chrome, appdata, local settings, recycler, msocache, and Unlock_files_.

According to PhishLabs researchers, the malware’s authors are trying to trick users by claiming the malicious file belongs to Apple. Because of this, the user might believe that the alert on the file being malicious might be false. To hinder analysis, the malware uses Address Space Layout Randomization (ASLR) enabled per a flag found in the PE Header, meaning that the operating system randomizes the memory locations of the program to prevent buffer overflow attacks.

The ransomware attempts to resolve an .onion address to check-in and to send specific information on the machine. These details include: the AES-128 private decryption key, encrypted file extensions, user name, name of active network interface, the system Locale ID (LCID), operating system version, victim ID, installed security software, and the time stamp of when the program was started.

After completing the encryption process, the ransomware presents a notice to the user informing them that their files have been encrypted. The malware also generates a personal identifier that is used to identify the victim in the ransom payment. However, there is a second-stage of infection, where the user is presented with the option to download a decrypter that displays the decryption instructions.

Advertisement. Scroll to continue reading.

PhishLabs researchers observed that the decrypter performs a check-in with the C&C when launched, and that this component would send the victim’s personal identifier to the server to inform that the decryption tool has been downloaded. The server will notify the decrypter of the Bitcoin address, multi-character file extension, hours left to pay the ransom, and the cost of the ransom. The victim is given 120 hours to pay the ransom, from the moment the dectrypter has been downloaded.

The ransomware uses un-obfuscated .NET code, which allowed researchers to view the decrypter’s source code and identify the decryption parameters. Next, researchers created their own decryption tool and also managed to hack the communication between the original decrypter and the server after discovering that the tool was vulnerable to a man-in-the-middle (MitM) attack.

Because the responses received from the server could be modified, PhishLabs researchers used the MitM technique to feed the decryption tool the information that allowed them to decrypt victim’s files for free. The researchers were successful because the author failed to implement protection / obfuscation into the payload and decrypter. Furthermore, researchers suggest that the malware author might be new to the threat scene.

“Shortly after the payload’s distribution into the wild, the command and control server began responding with a 500 internal server error, leaving victims unable to decrypt their files. The infrastructure surrounding this campaign was not very robust and ultimately resulted in the downfall of Alma Ransomware’s first run. Despite the amateurish nature of Alma Ransomware, this author is not likely to cease production and we should expect to see more from them in the near future,” researchers say.

Related: Wildfire Ransomware Operators Made $80,000 in One Month


Related: DetoxCrypto Ransomware Sends Screenshots to Operators

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...