CrypBoss, HydraCrypt, UmbreCrypt and other ransomware have been "cracked"

CrypBoss, HydraCrypt, UmbreCrypt and other ransomware have been "cracked"

I have previously briefly analyzed that when a computer is infected with ransomware, the malicious program encrypts the files on the computer, making it impossible for users to open the files normally, basically, encrypted files cannot be decrypted by themselves, so they will no longer be enabled. They can only purchase decryption keys at high prices for attackers. However, there are already two ransomware "brute-force cracking", and users can rescue their own files.

Emsisoft provides antidote

To put it simply, ransomware uses asymmetric encryption technology to encrypt files on compromised computers. As a result, files cannot be opened or read normally, and data may be damaged or the program cannot be executed normally. Because the victim does not know the correct decryption key, he cannot decrypt the key on his own. He can only purchase the decryption key from the attacker at a high price. However, if the victim fails to deliver the ransom within the time limit, the decryption key will be torn off, and encrypted files will no longer be enabled.

However, because the program code of the CrypBoss ransomware was leaked in Pastebin, the computer infected with the ransomware became alive. Fabian Wosar, a security researcher at Emsisoft in Austria, analyzed the program code, successfully cracked the encryption algorithm of the ransomware, and developed a decryption program, files encrypted by CrypBoss and its derivative ransomware (such as HydraCrypt and UmbreCrypt) can be decrypted and restored to the original format.

However, Fabian Wosar also said that although HydraCrypt and UmbreCrypt adopt the same algorithm as CrypBoss, developers still make some modifications, so the last 15 bytes of infected files cannot be restored.

Fortunately, most of these materials are not very important. The final fragments of many files are buffered data and can be reconstructed through the file repair software. Therefore, there is still a great opportunity to restore the files to their original appearance.

The operation of decryption software is quite simple. You need to prepare one of the following two groups of Files

1. Same files Encrypted and unencrypted

2. Encrypted PNG image files and any PNG image files

As long as any group of files are dragged to the decryption software Icon, the decryption software can obtain the decryption key after calculation, so the user can use this decryption key to restore the infected file.

 

▲Drag any of the above files to the illustration of the decryption software, and the decryption software will automatically analyze the files. (Source: Emsisoft, the same below)

 

▲After calculation, you can obtain the decryption key. Emsisoft recommends that you first try this key to decrypt a few infected files, and then restore all the files.

Download location of the decryption software:

Http://emsi.at/DecryptHydraCrypt

Note: The decryption software and instructions are taken from the official Emsisoft blog. I have not personally tested them.

It is feasible to analyze the Principles again!

Previously, I analyzed the main reason why ransomware was hard to crack, because I did not know the source code of the ransomware and the algorithm used. Now I have learned the algorithm from the source code, so we can calculate the encryption key and decryption key used by the ransomware.

Although according to the second article of the kirhoff principle, "the system should not contain any Confidential things, even if it falls into the hands of the enemy, it will not cause troubles", the design of rigorous ransomware should not be caused by source code leakage, the decryption software can be decompressed and produced.

However, I suspect that another key factor is that ransomware will send the key information back to the attacker to sell the decryption key to the victim. The decryption software may start with this starting point to calculate the correct decryption key.