Hackers are always looking to find newer ways of exploiting institutions and individuals.
Now researchers in the cyber security community have come out with a warning:
Modern hackers have advanced ways of increasing the level and depth of encryption when it comes to ransomware attacks.
Basically, hackers can and do use unique keys for each and every file their ransomware encrypts on a given victim’s computer machine.
Hackers write this new type of ransomware in Python of all languages.
The cyber security community has called this type of ransomware as CryPy.
Interestingly enough, CryPy is not the first neither the only ransomware that hackers have written in the Python programming language.
Hackers have written many other kinds of malware in Python as well.
Some of those malware types are,
- Fsociety Locker
- Zimbra
- HolyCrypt
Now, all of us know that ransomware is bad.
All of it.
But CryPy is “badder” than most because it is more sophisticated and “evil”.
We say evil because hackers use a strange but brutal practice while using CryPy for ransomware.
As alluded to before, hackers fetch unique encryption keys with which they encrypt files on an individual level on the victim’s computer machine.
This makes the encrypted files very difficult to crack and decrypt.
How Did People Get To Know About CryPy?
It might sound hard to believe but people discovered CryPy with help of nothing but a security flaw in the content management system known as Magento.
This security flaw allowed hackers to first upload and then execute a shell script programmed in PHP to a vulnerable web server in Israel.
This Israeli web server is now the command and control center of the malware.
Hackers use a clear text method to transfer data from the service.
This allows them to launch man-in-the-middle cyber attacks.
Moreover, hackers use a little bit of supplementary PHP scripts.
These make a direct call to the ransomware.
And then the ransomware sweeps in and takes out the victim’s machine.
What’s The Use Of C&C?
Cyber criminals use command and control center to conduct phishing attacks.
They also do lots of other things.
Like, contain the relevant PayPal phishing pages for phishing attacks.
Some believe that the hackers behind such ransomware attacks speak Hebrew.
Kaspersky researchers carried out an analysis and found out that the malware had two main files.
One of those files is encryptor.py and the other is boot_common.py.
Boot_common.py is one form of error that logs on the Windows operating system platform.
While encryptor.py, as the name suggests, plays the role of the actual locker.
Once this malware infects a system, CryPy moves in and disables Registry Tools.
It also disables many other things such as,
- Task Manager
- Run
- CMD
- After the previous three utilities, the malware disables boot status policy and recovery tools.
Only after that, the malware gets to work and start the encryption process.
As mentioned before, each file is encrypted on an individual level with a fresh encryption key.
With that said, Kaspersky researchers still believe that CryPy is in the initial stage of its development process.
Why?
Because the malware, in the form it currently is, has failed to encrypt all files.
That’s probably because the hacker or the threat actor behind the malware has moved to a new server recently.
And as a result, a lot of time has passed since the threat actor updated the malware.
What Happens When A Machine Is Made A Victim?
The system is locked.
And then the ransomware encrypts it.
Then hackers contact the victim and ask the victim to contact them via email.
After that, the victim has to pay hackers a sum of money to buy a decrypting program.
There is a slight chance that if the victim goes through this process, hackers might decrypt a small number of files for free.
In turn, that showcases the malware’s proper functioning.
It also may build some trust between the hackers and the victim.
But essentially this generous act is just to push the victim to pay the full amount from the decryption program.
Symantec researchers have also revealed (earlier this week) that whoever is behind these ransomware attacks, he/she/it is smart.
Why?
Because the ransomware operators have started to switch tactics.
This way, the can now hit an even expansive attack area.
To accomplish that, they use Windows Script Files.
These Windows Script Files help attacks to distribute their ransomware.
With methods such as these, the attacks also ensure that antivirus programs don’t pick up their ransomware.
Let’s All Come Together And Dissect This Thing Called Ransomware
As mentioned before, CryPy comprises of two files.
One is the boot_common.py.
And this file is responsible for actions such as error logging.
The second file is the encryptor.py file.
This one takes care of the locking part.
But the encryptor also performs some other functions.
One of those functions is to make two calls to the main command and control center/server.
The command and control center hides behind a web server that is compromised.
As mentioned before, in this case, that compromised web server is in Israel.
Making use of a known vulnerability, hackers uploaded a PHP script file to the server’s content management system.
With the help of some additional files, they also streamed data from the CryPy ransomware back to the main command and control center.
Hackers also used the same command and control center to launch phishing sites and their Paypal pages.
After the potential victim became a victim, hackers sent the stolen Paypal credential to a different remote server in Mexico.
This server used the same technique for arbitrary file upload.
However, this new Mexico-based server used a different CMS (content management system).
Hackers don’t want to get in trouble for this misdeeds.
Hence they target individuals and institutes who are weak.
A low-hanging-fruit, if you will.
Attackers love targets where they can just come in and inject their malware into the machine to hide their command and control center.
The best example, which took place last March, is the CTB-locker built for web servers.
Ransomware CryPy Analysis
To reverse an executable one has to conduct several checks.
A convenient debugger is immensely helpful in such tasks.
So how do you unpack an unknown packer?
Well, there are universal steps for such an undertaking.
First, you should know that packers use some really popular functions.
One of the most popular of such functions is VirtualAlloc.
To start the unpacking process, one must set a memory breakpoint on these.
Let’s say the breakpoint does indeed hit.
Then the next step has to involve something that switches the mode to user mode.
After that, one has to set a hardware breakpoint when it comes to access.
What will that do?
It will assist in inspecting.
And also to pinpoint where the program initializes the related memory block.
Most of the times though, an executable magic header called MZ appears in the area called memory block.
Some online screenshots have shown the data using VM code, made in Python, in order to execute the code.
The data does that once it is allocated to a memory block.
What Is VM Code?
It is simply a process.
And it creates new sets of instructions when it receives a request from the author.
After that, the central processing unit makes uses of those new sets of instructions to understand specific instructions.
Another file that is used in such processes is py2exe.
This file is simply used to convert the relevant code to x86 assembly.
The x86 is simple an architecture that is used on the CPU to enable it to communicate.
Moreover, the py2exe also loads all the relevant modules right into the memory.
It does that by loading all Python DLLs.
Researchers also found that hackers use py2exe to generate executable files.
How did the researchers come to know that?
Did they find any indicators?
Yes.
They did.
The first one of these indicators came in the form of a stack PUSH instruction.
This instruction added the following to the string:
“PY2EXE_VERBOSE”
For those who don’t know, this is just a module.
And it compiles python scripts to an operating system’s executables (in this case Microsoft Windows).
The popular code-hosting website Github also has a module that reverses all py2exe operations.
It is appropriately called unpy2exe.
What Does This Module Do?
This module reverts the related executable right back to the executable’s original compile code in Python.
That is, the .pyc file.
After the previous step, the executable should have its original format.
Then one needs to use that format to further revert the executable to its original code.
To do that, it is advisable to use EasyPythonDecompiler.
In this state, the executable cannot encrypt the file system.
Why?
Experts believe it is because the hackers may have moved their operations from the current server to a different server.
And we know what happens when hackers do that.
Yes., they delete all the traces of the PHP files that they used in order to collect data from the victim’s computer machine.
Their operation also generates a log file.
This log file is generated only upon exception.
If the hackers are successful in encrypting the victim’s data, then that means the ransomware has encrypted all files with almost all extensions.
Some of which include,
- .pps
- .xml
- .wma
- And many many more. Literally tens of more extensions.
Such ransomware attacks also encrypt wallets based on cryptocurrency such as Bitcoin via encrypted wallet.dat files.
All of the user documents along with other important Windows folders and any/all drives are encrypted with AES plus CBC mode.
After the ransomware finishes the encryption process, it will move forward with removing restore points.
It will then write a README_FOR_DECRYPT.txt file.
After that, the ransomware will execute that file.
This readme file is what the victims call ransom note.
Many media reports have published screenshots where the hackers behind an attack ask the victim to contact them through email.
This email address is the only way in which the victims can gain access to the decryption program.
In a recent incident, the hacker’s email address went a bit like this,
- m4n14k@sigaint dot org
- blackone@sigaint dot org
Some of the screenshots showed that hackers made a lot of grammar mistakes in their ransom notes.
This applied that hackers didn’t have English as their mother tongue.
The headline on the ransom note “IMPORTAN INFORMATION” did not have the letter “T” in front of “IMPORTAN”.
Moreover, the ransom note also had some syntactically inaccurate sentences such as “decrypting of your files”.
People who are fluent in English and understand the rules of the language can certainly find more grammar mistakes in the ransom note.
The ransom note also showed the hackers warning the victim that they would delete files after every six hours.
This is simply a clever approach that advanced hackers use on their victims.
However, the ransom note did not give any proof of decryption.
It also didn’t mention any channel which the victim could use in case a payment process becomes unresponsive.
Experts think that this indicated an executable in its early development stage.
How Does The Ransomware Survive A Reboot?
It does that by a neat key addition to the victim’s registry:
What about the code?
Moreover, what about its location?
Well, the code that is used to add values to the registry resides within functions autorun2() and autorun().
The script does not launch the ransom note until it calls a function, delete_shdaow().
As you can see, the function does not take any arguments.
It simply executes and removes all shadow copies.
It also blocks the recovery tool from creating a backup.
The following code is what we’re talking about here,
os.system(“vssadmin Delete shadows /all /Quiet”)
The file then calls the function autorun2().
This function copies the ransomware to the user’s home directory by access the AppData folder.
It does so with a hardcoded name.
What Is C2 Communication
After inspecting the compromised server and the Magento exploit, security researchers found something interesting:
The hacker uploaded the file in August 2016 and that aligns with the case in hand.
Researchers also found that the upload’s origin had the title Pak Haxor – Auto Xploiter.
It used the email ardiansyah09996@gmail dot com.
Some screenshots in the media also showed that attackers used huge exploiters to attack victims.
These exploiters scanned web servers for potential vulnerabilities and then exploited that vulnerability.
After that, these exploiters visited the same server to increase the scope of their server control.
Hackers drop additional PHP scripts in order to refine the more sophisticated of their attacks.
This is what they did with the CryPy ransomware.
One can find many of such shell scripts in the CryPy Python code.
Hackers usually hardcode them.
Readers should also know that such shells scripts come in the form of GET requests.
After the request is attached with two parameters, it is sent to the shell script.
This script is then uploaded via Auto Exploiter.
And it has the name victim.php.
To understand the data type that hackers present in base64 encoding format, one has to review the relevant Python code.
Some screenshots show that the configurl parameter actually manages to accept a URL query string.
This is there the info parameter’s victim_info input value is derived.
And it is derived from the module known as platform.
If one needs to return an ordered list of,
- Processor values
- Machine values
- Version values
- Release values
- Node values
- System values
then one must use the uname() function.
All of these values are usually encoded with base64.
Tie parameter ip contains the socket.gethostname() and it collects the IP address.
After these steps are performed, the querystring is sent to urllib.urlopen().
And when that is done, the GET request is sent to a chosen server.
Then the urllib.urlopen() reads the response content right into glob_config.
What Does The Response Contain?
The response has a JSON format payload.
The payload is also checked for keys.
These keys are as follows,
- x_ID – this is the victim’s ID. Every victim has a unique one.
This is the only way the victim can request the decryption keys that hackers give them after confirming the payment. - x_UDP – unused
- x_PDP – unused
There is a second call as well.
It is implemented in generate_file() function.
This function’s core responsibility is to fetch the unique key that is used for each file before the encryption process.
Hackers nowadays want to show integrity and trust.
And that’s why new lockers give victims the chance to decrypt a few files before they can process the full payment.
hackers want to prove their decryptors validity and that’s why they allow partial decryption before the full one.
Hackers have to generate a unique token for each file before they can randomly decrypt a file.
Researchers also found a PHP script in the code by the name of savekey.php.
Various screenshots show that it has the C2 IP contained within it.
Researchers couldn’t find more information about it because hackers had it delete way before any of the researchers could study it.
Just like the first call, the second all also sent two parameters.
The first parameter is actually the file’s name while the other represents the victim’s unique ID.
When the server receives the call, it returns two keys as a response.
These two keys are,
- X: this is just a key. A unique one. It is appended to each file’s header after encryption.
- Y: this represents a new file name. Instead of the previous one, this one is stored.
The two parameters presented above are then sent to the encryption process.
The file’s original name is also sent.
And that’s how hackers exploit their victims.