Jump to content
Sign in to follow this  
Mach1

GetCrypt Ransomware Brute Forces Credentials, Decryptor Released

Recommended Posts

Mach1

cyber-keyhole.jpg

A new ransomware called GetCrypt is being installed through malvertising campaigns that redirect victims to the RIG exploit kit.  Once installed, GetCrypt will encrypt all of the files on a computer and then demand a ransom payment to decrypt the files.

This ransomware was discovered by exploit kit researcher nao_sec who alerted BleepingComputer when they saw being installed via the RIG exploit kit in Popcash malvertising campaigns.  When a victim is redirected to a page hosting the exploit kit, malicious scripts will try to exploit vulnerabilities found on the computer.

If successful, it will download and install GetCrypt into Windows. You can see an example of the exploit kit infecting a computer from this any.run session.

How GetCrypt encrypts a computer

Security researcher Vitali Kremez who also saw nao_sec's tweet analyzed the ransomware and found some interesting features, which he shared with BleepingComputer. 

When the exploit kit executes the ransomware, GetCrypt will check if the Windows language is set to Ukrainian, Belarusian, Russian, or Kazakh.  If it is, the ransomware will terminate and not encrypt the computer.

Check Languages
Checking Languages

Otherwise, the ransomware will examine the CPUID of the computer and use it to create a 4 character string, which will be used as the extension for encrypted files. It then clears the Shadow Volume Copies by running the vssadmin.exe delete shadows /all /quiet command.

It now begins to scan the computer for files to encrypt. When encrypting files it does not target particular file types, but rather encrypts every file that is not located in or under the following folders: 

:\$Recycle.Bin
:\ProgramData
:\Users\All Users
:\Program Files
:\Local Settings
:\Windows
:\Boot
:\System Volume Information
:\Recovery
AppData

According to Michael Gillespie, GetCrypt utilizes the Salsa20 and RSA-4096 encryption algorithms.

When encrypting files, it will append the 4 character extension created previously. For example, on my test run a file named 1.doc was encrypted and then renamed to 1.doc.ELSH as shown below.

GetCrypt Encrypted Files
GetCrypt Encrypted Files

While encrypting files, GetCrypt will also create ransom note named # decrypt my files #.txt in each folder that is encrypted and on the desktop. This ransom note advises you to contact [email protected] for payment instructions.

GetCrypt Ransom Note
GetCrypt Ransom Note

GetCrypt will also change your desktop background to the following image, which is stored at %LocalAppData%\Tempdesk.bmp.

GetCrypt Wallpaper
GetCrypt Wallpaper

Like many other ransomware infections, during the encryption process GetCrypt will also attempt to encrypt files on network shares. They do it a bit differently.

Tries to brute force network account credentials

When encrypting, GetCrypt will utilize the WNetEnumResourceW function to enumerate a list of available network shares. 

If it cannot connecto a share, it will use an embedded list of usernames and passwords to bruteforce the credentials for shares and mount them using the WNetAddConnection2W function.

Below you can see a list of usernames and passwords that Kremez found in the ransomware when he was analyzing it.

Usernames and Passwords to try
Usernames and Passwords to try

While encrypting unmapped network shares is not unusual, this is the first time we have seen a ransomware try to brute force shares so that they can connect to them from the infected computer.

GetCrypt Decryptor Released

If you were infected with the GetCrypt Ransomware, it is possible to get your files back for free. All you need is a original unencrypted copy of a file that has been encrypted.

If you have an encrypted/unencrypted file pair, simply download the decrypt_GetCrypt.exe program from the following link and save it on your desktop:

Once downloaded, run the decryptor and select an encrypted file and its unencrypted version. Then click the Start button.

GetCrypt Decryptor
GetCrypt Decryptor

GetCrypt Decryptor will now brute force your decryption key and decrypt your files.

 

GetCrypt Decryptor Download

 

IOCs

Hashes:

8d833937f4da8ab0269850f961e8a9f963c23e6bef04a31af925a152f01a1169

GetCrypt Associated Files:

# decrypt my files #.txt
%AppData%\encrypted_key.bin
%LocalAppData%\Tempdesk.bmp

Ransom Note Text:

                           Attention! Your computer has been attacked by virus-encoder!
                    All your files are now encrypted using cryptographycalli strong aslgorithm.
                                 Without the original key recovery is impossible.

TO GET YOUR DECODER AND THE ORIGINAL KEY TO DECRYPT YOUR FILES YOU NEED TO EMAIL US AT: [email protected]

It is in your interest to respond as soon as possible to ensure the restoration of your files.

P.S only in case you do not recive a response from the first email address within 48 hours,
[encrypted_key]

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...