New Shade cryptolocker confuses analysis tools with 'MS-DOS EXE' file type

A new build of Shade (Troldesh) ransomware comes with a broken PE header making PE analysis tools recognize it as a nonexecutable 'MS-DOS EXE' file. As a result, the detection rate on VirusTotal is 1/59.

Fake bills deliver Crypt0L0cker in Sweden

After revealing the fake emails with finance related information from banks and the Tax Office in Ukraine delivering ransomware, we revealed the similar attack running in Sweden. The archive allegedly with a bill was placed on Dropbox and contains the latest version of Crypt0L0cker (a.k.a. TorrentLocker) inside.

Shade ransomware comes through billing notifications

We are seeing the numerous infections by the new version of the Shade cryptolocker during the last week in Ukraine. The Shade has been leveraging a cheap and effective email delivery channel. The attack is run with the help of fake emails sent on behalf of Ukrainian financial institutions (e.g. PrivatBank, the Ukrainian Tax Office) from the hacked email accounts, most of them belong to organizations in the gov.ua TLD. The subject of these emails is bills or indebtedness that a victim needs to pay.

Targeted Attack on the National Police of Ukraine

According to the .eml file that was uploaded today to VirusTotal, unknowns tried to run a targeted attack on the National Police of Ukraine.

The email (MD5: bec01fe3b14b3da507a6a4c5c698e8ed) was sent to admin@police.gov.ua with the fake login page attached as an html file (MD5: 5dca48afe347db9e9f9cab9c824c122d) a week ago.

Decrypting DeriaLock

Recently, our laboratory analyzed the new version of DeriaLock (MD5: 0a7b70efba0aa93d4bc0857b87ac2fcb).

This version of DeriaLock is unique because of two reasons. First, it demands to pay the 30 USD/EUR ransom to the Skype account. Second, DeriaLock incorporates three types of functionality: SystemLocker, CryptoLocker, and FileKiller within a single attack.

If you managed to remove the DeriaLock infection and keep your encrypted files, you can start now decrypting your documents using the encryption key and initialization vector calculated by our script based on the password string extracted from the analyzed version of DeriaLock:

AES-256 key: 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743
IV: 9fa4ed4d89b04ee7f3b74c9b46588e18

To decrypt '.deria' files, you can use OpenSSL tool specifying the discovered key and initialization vector. For example:

openssl aes-256-cbc -d -in photo.png.deria -K 9c9e1ba2ee5b86494b7e1ebba6420ee6ab64ce6d678604eb5b5049b210693743 -iv 9fa4ed4d89b04ee7f3b74c9b46588e18 -out photo.png

Or use our Python script or executable to decrypt all '.deria' files that can be found on your computer.

VaultCrypt: From Russia with Love

During the last several months Ukrainian Cyberpolice recorded many incidents all over the country with VaultCrypt. We decided to shed light on the issue. VaultCrypt is a cryptolocker having the similar to TeslaCrypt scheme using Tor and Bitcoins to pay a ransom, but simpler in implementation.

TeslaCrypt 2.1 Analysis: Cracking "Ping" Message

At the beginning of September 2015, we discovered a new version of TeslaCrypt - 2.1 in the customer's network. The sample (MD5: b10d45335b8de97e6bc1d5cc9449c323) was loosely detected by the majority of AV signature engines on the Virustotal. The detection rate was 4/57 and can be explained by using code obfuscation, which proved its efficiency. The previous TeslaCrypt 2.0 was already well described by Kaspersky Lab, so we will use the same naming convention for encryption keys as on the Securelist for this post.

Now, TeslaCrypt 2.1 sends extra information in the C&C request in an encrypted way. The list of domains used as “gates” will be presented below with corresponding Yara rule, as well as a mechanism used to encrypt data sent to the remote server, which has not been yet explained anywhere.