Researchers at Check Point Technologies have discovered an ‘offline’ ransomware that encrypts files on the infected machine without communicating with a command and control (C&C) server.
The ransomware which mainly targets Russian users, has been in existence since around June 2014. Since then, a dozen files have been released and the latest among them is CL 18.104.22.168 which was made available in mid-August.
Security products detect various versions of the threat as Ransomcrypt.U(Symantec),Win32.VBKryjetor.wfa (Kaspersky) and Troj/Ransom-AZT (Sophos).
After the threat infects a computer, it encrypts important files after which it changes the desktop background to a message in native language, ‘Russian’ informing the users about their encryption of files.
Victims are then asked to pay between $300 and $380; depending on how fast they pay up, to receive a decryption tool and the key needed to recover their files.
Due to its offline feature and detachment from C&C server, it becomes more difficult for security solutions that identify threats based on their communications to detect and neutralize the malware.
According to Check point researchers, the malware is designed only to encrypt files and it does not have much other functionality. However, its efficiency on its function is high enough which makes it impossible to recover files without paying the ransom.
“▬The beginning (first 30000 bytes) of each file is encrypted using two buffers of digits and letters that are randomly generated on the infected machine. The encryption process includes taking each original byte along with one byte from each of the randomly generated buffers and performing mathematical operations on them.
▬The remainder of each file (if it exists) is encrypted using an RSA public key (“local”) that is randomly generated on the infected machine, along with the matching local RSA private key required for decryption of the data.
▬The randomly generated buffers and the local RSA private key that are required for decryption are added as metadata to each encrypted file, and are then encrypted using three hardcoded RSA 768 public keys that the offender created in advance (“remote”). The matching remote RSA private keys required to unlock the metadata are located on the attacker’s side.”
Ransomware campaigns are highly profitable for cyber criminals who can make huge amounts of cash by encrypting files of Russian users.